The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmg_filman_download() function. A remote unauthenticated attacker may be able to use this vulnerability to inject PHP code, or along with CVE-2016-9484 to perform local file inclusion attacks and obtain files from the server.
[
{
"product": "Generator",
"vendor": "PHP FormMail",
"versions": [
{
"lessThan": "2016-12-06",
"status": "affected",
"version": "2016-12-06",
"versionType": "custom"
}
]
}
]