CVE-2017-14048
BlackCat CMS 1.2 is affected. Remote authenticated users can inject arbitrary PHP code into info.php via a crafted new_modulename parameter to backend/addons/ajax_create.php, enabling code execution. The issue is also exploitable via CSRF; root cause is insufficient validation in ajax_create.php....