15Eyl
CVE-2024-8880 | playSMS 1.4.4/1.4.5/1.4.6/1.4.7 Template index.php username/email/captcha code injection
A vulnerability classified as critical has been found in playSMS 1.4.4/1.4.5/1.4.6/1.4.7. Affected is an unknown function of the file /playsms/index.php?app=main&inc=core_auth&route=forgot&op=forgot of the component Template Handler. The manipulation of the argument username/email/captcha leads to code injection. This vulnerability is traded as CVE-2024-8880. It is possible to launch the attack remotely. Furthermore, there is an exploit available. The project maintainer was informed early about the issue. Investigation shows that playSMS up to 1.4.3 contained a fix but later versions re-introduced the flaw. As long as the latest version of the playsms/tpl package is used, the software is not affected. Version >=1.4.4 shall fix this issue for sure. It is recommended to upgrade the affected component.