CVE-2018-17826

HisiPHP 1.0.8 is vulnerable to CSRF via admin.php/admin/user/adduser.html, enabling an attacker to create an administrator account. This account can then leverage app/common/model/AdminAnnex.php to add .php to the allowed file-upload types list (.jpg, .png, .gif, .jpeg, .ico), facilitating arbitr...