| Title | ctcms 2.1.2 Command Injection |
|---|
| Description | CTCMS (Ctcms video system) version 2.1.2 contains a command execution vulnerability in the backend system configuration module. An authenticated administrator can modify system configuration settings to inject malicious code, leading to remote code execution.The vulnerability exists in the system configuration management functionality. When an administrator saves system configuration settings, the system writes the configuration data to `/ctcms/libs/Ct_Config.php` without proper sanitization. By intercepting the request and adding malicious parameters to "Duplicate Entry Rules" or "Secondary Update Rules", an attacker can inject PHP code that will be executed when the configuration file is accessed. |
|---|
| Source | ⚠️ https://note-hxlab.wetolink.com/share/87u6f02Gho0K |
|---|
| User | airrudder (UID 25092) |
|---|
| Submission | 12/05/2025 08:59 (6 months ago) |
|---|
| Moderation | 12/15/2025 18:02 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 336487 [CTCMS Content Management System up to 2.1.2 Backend System Configuration Ct_Config.php Cj_Add/Cj_Edit code injection] |
|---|
| Points | 20 |
|---|