CyberSec.Space Logo
CVEブラウザに戻る

CVE-2019-9082

Known Exploited (CISA KEV)HIGH
8.8
CVSS Severity Score
EPSS Score60.3220%
EPSS Percentile86.32th
Published2019年2月24日
Last Modified2025年12月9日

Vulnerability Description

ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Affected Platforms (CPE)

📦
Thinkphp

Thinkphp

< 3.2.4
📦
Opensourcebms

Open Source Background Management System

= 1.1.1
📦
Zzzcms

Zzzphp

= 1.6.1

References & Advisories

🔗 http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.html
🔗 https://github.com/xiayulei/open_source_bms/issues/33
🔗 http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.html
🔗 https://github.com/xiayulei/open_source_bms/issues/33
🔗 https://www.exploit-db.com/exploits/46488/
🔗 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9082

関連する脆弱性情報

CVE-2018-252709.8

ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code...

CVE-2020-201209.8

ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" an...

CVE-2020-197059.8

thinkphp-zcms as of 20190715 allows SQL injection via index.php?m=home&c=message&a=add.

CVE-2021-365649.8

ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter...

CVE-2019-9082 Detail & Impact Analysis | CVSS 8.8 (HIGH) | Cyber-Sec.Space | Cyber-Sec.Space