LoveCMS 1.6.2 does not require administrative authentication for (1) addblock.php, (2) blocks.php, and (3) themes.php in system/admin/, which allows remote malicious users to change the configuration or execute arbitrary PHP code via addition of blocks, and other vectors.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
lovecms lovecms 1.6.2 |