CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2018-19748
https://notcve.org/view.php?id=CVE-2018-19748
29 Nov 2018 — app/plug/attachment/controller/admincontroller.php in SDCMS 1.6 allows reading arbitrary files via a /?m=plug&c=admin&a=index&p=attachment&root= directory traversal. The value of the root parameter must be base64 encoded (note that base64 encoding, instead of URL encoding, is very rare in a directory traversal attack vector). app/plug/attachment/controller/admincontroller.php en SDCMS 1.6 permite leer archivos arbitrarios mediante uhn salto de directorio en /?m=plugc=admina=indexp=attachmentroot=. El valor ... • https://blog.whiterabbitxyj.com/cve/SDCMS_1.6_directory_traversal.doc • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 2CVE-2018-19520
https://notcve.org/view.php?id=CVE-2018-19520
25 Nov 2018 — An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a check_bad function in an attempt to block certain PHP functions such as eval, but does not prevent use of preg_replace 'e' calls, allowing users to execute arbitrary code by leveraging access to admin template management. Se ha descubierto un problema en la versión 1.6 de SDCMS con PHP 5.x. app/admin/controller/themecontroller.php utiliza una función check_bad para intentar bloquear determinadas funciones PHP,... • https://blog.whiterabbitxyj.com/cve/SDCMS_1.6_code_execution.doc • CWE-94: Improper Control of Generation of Code ('Code Injection') •