CVE-2024-8880 | playSMS 1.4.4/1.4.5/1.4.6/1.4.7 Template index.php username/email/captcha code injection

A vulnerability classified as critical has been found in playSMS 1.4.4/1.4.5/1.4.6/1.4.7. Affected is an unknown function of the file /playsms/index.php?app=main&inc=core_auth&route=forgot&op=forgot of the component Template Handler. The manipulation of the argument username/email/captcha leads to code injection.

This vulnerability is traded as CVE-2024-8880. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

The project maintainer was informed early about the issue. Investigation shows that playSMS up to 1.4.3 contained a fix but later versions re-introduced the flaw. As long as the latest version of the playsms/tpl package is used, the software is not affected. Version >=1.4.4 shall fix this issue for sure.

It is recommended to upgrade the affected component.

CVE-2024-8880 | playSMS 1.4.4/1.4.5/1.4.6/1.4.7 Template index.php username/email/captcha code injection

Related Posts

CVE-2024-25629 | c-ares up to 1.26.x Null Character ares__read_line memory corruption

CVE-2024-3867 | Tainacan Interface Plugin up to 2.7.1 on WordPress cross site scripting

CVE-2023-37520 | HCL HCL BigFix Platform 9.5.x/10.0.x/11.0.0 Gather Status Report cross site scripting (KB0109376)

CVE-2024-30003 | Microsoft unknown vulnerability