2 matches found
CVE-2017-16941
October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from /backend/cms/themes, and then uploading and importing a modified archive with two new files: a .php file and a...
CVE-2017-16941
October CMS 1.0.428 and earlier is vulnerable because themes allow .htaccess usage, enabling remote authenticated users to execute arbitrary PHP by corrupting a theme ZIP downloaded from /backend/cms/themes and re-uploading it with a malicious .php and .htaccess. Root cause is failure to block .h...