CVE ID
CVE-2023-46468
GitHub
https://github.com/juzaweb/cms
Affected Version
Up to and including v3.4
Vulnerability Classification
Eval injection
Detailed Description
The juzawebCMS version 3.4 and its predecessors suffer from a critical vulnerability wherein a remote attacker can execute arbitrary code. This vulnerability stems from inadequate input validation and sanitation mechanisms within the custom plugin function.
The vulnerability can be exploited through the following steps:
1.Insertion of Malicious PHP Code into Custom Plugins: The attacker can embed malicious PHP code into custom plugins, as demonstrated in the following screenshot:
2.Uploading of Custom Plugins: The attacker uploads the tampered custom plugins onto the system, as illustrated below:
3.Enabling of Plugins: The attacker then activates the malicious plugins within the system:
4.Refreshing the Page to Trigger the Vulnerability: Upon refreshing the page, the system executes the injected code, leading to arbitrary code execution:
[...]CVE-2023-46468MISC[...]