CyberSec.Space Logo
Back to CVE Browser

CVE-2021-40373

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1320%
EPSS Percentile7.25th
PublishedSep 10, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and then executing that code via the index.php?app=main&inc=core_welcome URI.

Affected Platforms (CPE)

πŸ“¦
Playsms

Playsms

< 1.4.5

References & Advisories

πŸ”— https://github.com/maikroservice/CVE-2021-40373
πŸ”— https://playsms.org/2021/09/04/playsms-1-4-5-released/
πŸ”— https://github.com/maikroservice/CVE-2021-40373
πŸ”— https://playsms.org/2021/09/04/playsms-1-4-5-released/

Related Vulnerabilities

CVE-2020-86449.8

PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.

CVE-2017-91019.8

import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTT...

CVE-2017-90808.8

PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a...

CVE-2018-183878.8

playSMS through 1.4.2 allows Privilege Escalation through Daemon abuse.