cbcvebase.
CVE-2018-19127
published 2018-11-09

CVE-2018-19127: A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.77%
97.2th percentile
A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via the template parameter, and is written to a data/cache_template/*.tpl.php file along with a "<?php function " substring.

Affected

1 ranges
VendorProductVersion rangeFixed in
phpcmsphpcms

Detection & IOCsextracted from sources · hover to see the quote

path/type.php
path/data/cache_template/*.tpl.php
path/data/cache_template/rss.tpl.php
url/type.php?template=tag_(){};echo(md5(999999999));{//../rss
bytes
<?php function
  • Monitor GET requests to /type.php containing a 'template' parameter with PHP code or template injection payloads (e.g., containing 'echo', 'md5', or function definitions).
  • Alert on creation or modification of files matching the pattern data/cache_template/*.tpl.php, especially those containing PHP executable code injected via the template parameter.
  • Detect exploitation attempts by checking for subsequent GET requests to /data/cache_template/rss.tpl.php (or similar .tpl.php files) after a suspicious /type.php request — this is the two-step RCE pattern.
  • Use Shodan/FOFA queries to identify exposed PHPCMS 2008 instances: search for 'Powered by phpcms' in HTTP response bodies.
  • The exploit is unauthenticated; no session or login is required. Flag any anonymous/unauthenticated access to /type.php with a non-trivial template parameter.
  • ·The controllable filename in the cache path means the attacker can choose the output .tpl.php filename (e.g., 'rss' in rss.tpl.php) via the template parameter path traversal segment ({//../rss), so detection rules should cover wildcard filenames under data/cache_template/, not just 'rss.tpl.php'.
  • ·The Nuclei template uses a two-request flow (http(1) OR http(2)), meaning the first request triggers the write and the second verifies execution. Detection logic should correlate both requests rather than treating them independently.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.