CyberSec.Space Logo
Back to CVE Browser

CVE-2018-17036

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0090%
EPSS Percentile40.13th
PublishedSep 14, 2018
Last ModifiedNov 21, 2024

Vulnerability Description

An issue was discovered in UCMS 1.4.6 and 1.6. It allows PHP code injection during installation via the systemdomain parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.

Affected Platforms (CPE)

📦
Ucms Project

Ucms

= 1.4.6
📦
Ucms Project

Ucms

= 1.6

References & Advisories

🔗 https://github.com/blackstar24/UCMS/blob/master/phpinfo.md
🔗 https://github.com/blackstar24/UCMS/blob/master/phpinfo.md

Related Vulnerabilities

CVE-2020-254839.8

An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can g...

CVE-2018-170359.8

UCMS 1.4.6 has SQL injection during installation via the install/index.php mysql_dbname parameter.

CVE-2020-57579.8

Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated r...

CVE-2020-255379.8

File upload vulnerability exists in UCMS 1.5.0, and the attacker can take advantage of this vulnerability to obtain server managem...