Webedition CMS Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Webedition CMS version 2.9.8.8. This vulnerability allows authenticated attackers to inject and execute system commands by creating a PHP page with malicious commands in the description field. The injected commands are executed on the server, potentially leading to unauthorized access or manipulation of server resources.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Webedition CMS is installed.

Reproduction

To reproduce this vulnerability, log into an account with access to the Webedition CMS. Navigate to the 'New' section and select 'Webedition page'. Choose the PHP option and enter a payload in the description area that includes PHP code to execute system commands, such as one that reads the contents of the '/etc/passwd' file. Once the page is created, the injected PHP code will be executed on the server.