CRITICAL🇵🇱 Wersja polska

CVE-2023-42286

CVSS 9.8v3.1pub. 2024-03-14upd. 2025-04-16

There is a PHP file inclusion vulnerability in the template configuration of eyoucms v1.6.4, allowing attackers to execute code or system commands through a carefully crafted malicious payload.

🤖 AI Analysis
How it works

The vulnerability (CWE-434) results from insufficient validation of files included through the template configuration mechanism. An attacker can prepare a malicious payload containing a path to a PHP file or other resource controlled by them. After processing such a payload by the application, the server executes the code or system commands contained in it. Due to the network vector without authentication requirements (AV:N/PR:N/UI:N), the attack can be conducted remotely by any person.

Impact

An attacker can execute arbitrary code or system commands on the server, leading to complete system takeover, data theft, modification of website content, and potential use of the server as a launching point for further attacks.

Mitigation & patch

Apply patches available from the vendor according to references. It is also recommended to restrict access to the administration panel and template configuration module exclusively to trusted IP addresses.

Who is affected

EyouCMS version v1.6.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Eyoucms

    APP
    Eyoucms
    1.6.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2022-26273CRITICAL9.8ten sam produkt

EyouCMS v1.5.4 was discovered to lack parameter filtering in \user\controller\shop.php, leading to payment log...

CVE-2022-26279CRITICAL9.8ten sam produkt

EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata.

CVE-2020-24000CRITICAL9.8ten sam produkt

SQL Injection vulnerability in eyoucms cms v1.4.7, allows attackers to execute arbitrary code and disclose sen...

CVE-2021-39497CRITICAL9.8ten sam produkt

eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via...

CVE-2025-65868HIGH7.5ten sam produkt

XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via...