CVE-2019-6713
CRITICALThinkCMF 5.0.190111 - Remote Code Execution via Route Configuration Injection
Title source: llmDescription
app\admin\controller\RouteController.php in ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code by using vectors involving portal/List/index and list/:id to inject this code into data\conf\route.php, as demonstrated by a file_put_contents call.
References (2)
Core 2
Core References
Permissions Required, Third Party Advisory x_refsource_misc
http://www.ttk7.cn/post-108.html
Release Notes, Vendor Advisory x_refsource_misc
https://www.thinkcmf.com/download.html
Scores
CVSS v3
9.8
EPSS
0.0237
EPSS Percentile
81.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (1)
thinkcmf/thinkcmf
5.0.190111
Published
Jan 23, 2019
Tracked Since
Feb 18, 2026