There is a PHP file inclusion vulnerability in the template configuration of eyoucms v1.6.4, allowing attackers to execute code or system commands through a carefully crafted malicious payload.
The vulnerability (CWE-434) results from insufficient validation of files included through the template configuration mechanism. An attacker can prepare a malicious payload containing a path to a PHP file or other resource controlled by them. After processing such a payload by the application, the server executes the code or system commands contained in it. Due to the network vector without authentication requirements (AV:N/PR:N/UI:N), the attack can be conducted remotely by any person.
An attacker can execute arbitrary code or system commands on the server, leading to complete system takeover, data theft, modification of website content, and potential use of the server as a launching point for further attacks.
Apply patches available from the vendor according to references. It is also recommended to restrict access to the administration panel and template configuration module exclusively to trusted IP addresses.
EyouCMS version v1.6.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEyoucms
APPEyoucms1.6.4
Related vulnerabilities
EyouCMS v1.5.4 was discovered to lack parameter filtering in \user\controller\shop.php, leading to payment log...
EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata.
SQL Injection vulnerability in eyoucms cms v1.4.7, allows attackers to execute arbitrary code and disclose sen...
eyoucms 1.5.4 lacks sanitization of input data, allowing an attacker to inject a url to trigger blind SSRF via...
XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via...