An authenticated attacker can inject malicious code into "lang" parameter in /uno/central.php file in CMSuno 1.6.2 and run this PHP code in the web page. In this way, attacker can takeover the control of the server.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/161162/CMSUno-1.6.2-Remote-Code-Execution.html | Exploit Third Party Advisory VDB Entry |
https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution_30.html | Exploit Third Party Advisory |
Configurations
History
28 Jan 2021, 17:51
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) http://packetstormsecurity.com/files/161162/CMSUno-1.6.2-Remote-Code-Execution.html - Exploit, Third Party Advisory, VDB Entry |
28 Jan 2021, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2020-11-13 16:15
Updated : 2023-12-10 13:41
NVD link : CVE-2020-25538
Mitre link : CVE-2020-25538
CVE.ORG link : CVE-2020-25538
JSON object : View
Products Affected
cmsuno_project
- cmsuno
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')