Primary

Context

LMXCMS Code Injection Vulnerability in Maintenance Component

Vulnerability

A code injection vulnerability has been identified in LMXCMS version 1.41, specifically within the Maintenance component's db.inc.php file. This vulnerability allows attackers to inject arbitrary code, which can be executed remotely. The exploitation process is complex and requires a certain level of authentication.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where LMXCMS is hosted.

Reproduction

To reproduce this vulnerability, log into the admin panel and navigate to the database backup and restore module. Select any table for backup, then use the restore backup feature to access the file deletion interface. Delete the 'install_ok.txt' file, which triggers a system reset. During the database configuration process, inject a payload that writes a web shell into the db.inc.php file. Once the payload is executed, it will result in arbitrary code execution on the server.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

LMXCMS Code Injection Vulnerability in Maintenance Component

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating