Recently, Chinese security researchers detected a vulnerability in CmsEasy. An attacker can submit a malicious link on the front-end to obtain the website administrator’s privileges, resulting in leakage of sensitive data on the website. This vulnerability brings high security risks.
See the following for more information about the vulnerability.
CmsEasy front-end unrestricted GetShell vulnerability
The vulnerability allows an unauthorized attacker to upload a Webshell file over a specially crafted malicious link. The attacker then obtains the Webshell permission of the CmsEasy system, resulting in leakage of sensitive system data.
Condition and method of exploitation
CmsEasy <= 5.6_20160825
How to fix or mitigate
Back up the existing files and data. Download the package upgrade_20161012, decompress it, and upload it to overwrite the CmsEasy installation folder.