CVE-2018-9848
In GxlcmsQY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote arbitrary PHP code execution. An attacker first sends Admin-Admin-Configsave to modify config[upload_class] from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php, then issues Admin-Upload-Upload to run...