CTCMS Content Management System Code Injection Vulnerability in Backend App Configuration Module

A code injection vulnerability has been identified in CTCMS Content Management System versions through 2.1.2. The issue resides in the Backend App Configuration Module, specifically within the Save function of the file /ctcms/libs/Ct_App.php. This vulnerability allows authenticated administrators to inject malicious code by manipulating the CT_App_Paytype argument, which is executed when the configuration file is accessed. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where CTCMS is installed.

Reproduction

To reproduce this vulnerability, an authenticated administrator must access the backend APP configuration page. After navigating to the APP configuration settings, the administrator can intercept the request and add a malicious payload to the 'APP Payment Method' parameter. Once the request is sent, the injected code will be executed when the configuration file is accessed.