CVE-2018-19520
HIGHSDCMS 1.6 - Authenticated Remote Code Execution via preg_replace 'e' Call in Theme Management
Title source: llmDescription
An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a check_bad function in an attempt to block certain PHP functions such as eval, but does not prevent use of preg_replace 'e' calls, allowing users to execute arbitrary code by leveraging access to admin template management.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://blog.whiterabbitxyj.com/cve/SDCMS_1.6_code_execution.doc
Exploit, Third Party Advisory x_refsource_misc
https://github.com/WhiteRabbitc/WhiteRabbitc.github.io/blob/master/cve/SDCMS_1.6_code_execution.doc
Scores
CVSS v3
8.8
EPSS
0.0102
EPSS Percentile
77.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (2)
php/php
5.0.0 - 5.6.38
sdcms/sdcms
1.6
Published
Nov 25, 2018
Tracked Since
Feb 18, 2026