Description
Remote Code Execution vulnerability in symphony/content/content.blueprintsdatasources.php in Symphony CMS through 2.6.11 allows remote attackers to execute code and get a webshell from the back-end. The attacker must be authenticated and enter PHP code in the datasource editor or event editor.
References (4)
Core 4
Core References
Patch x_refsource_misc
https://github.com/symphonycms/symphony-2/commit/e30a18f8f09dca836e141bf126a26e565c9a2bc7
Issue Tracking, Patch x_refsource_misc
https://github.com/symphonycms/symphony-2/issues/2655
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97594
Exploit, Third Party Advisory x_refsource_misc
http://www.math1as.com/symphonycms_2.7_exec.txt
Scores
CVSS v3
8.8
EPSS
0.0542
EPSS Percentile
90.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (1)
getsymphony/symphony
< 2.6.11
Published
Apr 11, 2017
Tracked Since
Feb 18, 2026