CVE
CVE-2019-9082
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system...
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=calluserfunc_array&vars[0]=system&vars[1][]= followed by the command.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
C
H
U
-
Related Resources
No items found.
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?fieldcve=CVE-2019-9082, http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.html, https://github.com/xiayulei/opensource_bms/issues/33, https://www.exploit-db.com/exploits/46488/
Basic Information
Ecosystem
