CVE-2019-9082 – ThinkPHP Remote Code Execution Vulnerability

https://notcve.org/view.php?id=CVE-2019-9082

24 Feb 2019 — ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command. ThinkPHP, en versiones anteriores a la 3.2.4, tal y como se emplea en Open Source BMS v1.1.1 y otros productos, permite la ejecución remota de comandos mediante public//?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=, seguido por el co... • https://packetstorm.news/files/id/151967 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-306: Missing Authentication for Critical Function •