CVE-2013-10051 PUBLISHED

InstantCMS <= 1.6 Remote PHP Code Execution

Assigner: VulnCheck
Reserved: 01.08.2025 Published: 01.08.2025 Updated: 05.08.2025

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote attacker can exploit this flaw by sending a crafted HTTP GET request with a base64-encoded payload in the Cmd header, resulting in arbitrary PHP code execution within the context of the web server.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	InstantCMS
Product	InstantCMS
Versions	Default: unknown affected from * to 1.6 (incl.)

Credits

Ricardo Jorge Borges de Almeida finder

References

Problem Types

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE

Impacts

CAPEC-242 Code Injection
CAPEC-137 Parameter Injection