eFront <= 3.6.10 (save_template.php) PHP Code Injection Vulnerability
Description:
eFront contains a flaw which allows a remote attacker to inject and execute arbitrary PHP code. The issue is due to the www/editor/tiny_mce/plugins/save_template/save_template.php script which fails to properly sanitize user-supplied input passed via the ‘templateName’ and ‘templateContent’ parameters before use it in a call to the file_put_contents()
PHP function.
References:
Disclosure Date:
October 27, 2011