Back to CVE Browser

CVE-2017-9101

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.0790%

EPSS Percentile26.89th

PublishedMay 21, 2017

Last ModifiedMay 13, 2026

Vulnerability Description

import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file.

Affected Platforms (CPE)

📦

Playsms

Playsms

= 1.4

References & Advisories

🔗 https://www.exploit-db.com/exploits/42044/

🔗 https://www.exploit-db.com/exploits/44598/

🔗 https://www.exploit-db.com/exploits/42044/

🔗 https://www.exploit-db.com/exploits/44598/

Related Vulnerabilities

CVE-2020-86449.8

PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.

CVE-2021-403739.8

playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and t...

CVE-2017-90808.8

PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a...

CVE-2018-183878.8

playSMS through 1.4.2 allows Privilege Escalation through Daemon abuse.