2021
06.01

IPS Community Suite versions 4.5.4.2 and below suffer from a PHP code injection vulnerability. The vulnerability exists because the IPScmsmodulesfrontpages_builder::previewBlock() method allows to pass arbitrary content to the IPS_Theme::runProcessFunction() method, which will be used in a call to the eval() PHP function. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires an account with permission to manage the sidebar (such as a Moderator or Administrator) and the “cms” application to be enabled.

No Comment.

Add Your Comment

You must be logged in to post a comment.