ImpressPages cm_group Parameter Remote PHP Code Execution
High Nessus Plugin ID 64686
SynopsisThe remote web server hosts an application that allows arbitrary code execution.
DescriptionThe ImpressPages install hosted on the remote web server contains a flaw that allows arbitrary PHP code execution. Input passed to the 'cm_group' parameter is not properly sanitized before being used in a PHP eval() function call. An unauthenticated, remote attacker can leverage this vulnerability to execute arbitrary PHP code on the remote host.
SolutionUpgrade to version 1.0.13 or later.