PHP Code Evaluation Vulnerability in FUEL CMS by Daylight Studio
CVE-2018-16763

9.8CRITICAL

Key Information:

Vendor

Thedaylightstudio

Status
Fuel Cms
Vendor
CVE Published:
9 September 2018

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC๐ŸŸฃ EPSS 93%

What is CVE-2018-16763?

FUEL CMS version 1.4.1 is susceptible to a significant vulnerability that allows for PHP code execution. By manipulating the 'pages/select/' filter parameter or the 'preview/' data parameter, an attacker can execute arbitrary PHP code remotely without authentication. This flaw poses a severe risk, enabling potential exploitation by unauthorized users, leading to undesirable actions within the affected system.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-16763 - Proof of Concept

CVE-2018-16763-FuelCMS-1.4.1-RCE
Created by p0dalirius

CVE-2018-16763
Created by padsalatushal

References

https://github.com/daylightstudio/FUEL-CMS/issues/478
x_refsource_MISC
https://0xd0ff9.wordpress.com/2019/07/19/from-code-evalua...
x_refsource_MISC
https://www.exploit-db.com/exploits/47138
exploitx_refsource_EXPLOIT-DB

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.