PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPlaysms
APPPlaysms< 1.4.3
CISA KEV — detailsi
- Vendori
- PlaySMS
- Producti
- PlaySMS
- Added to KEVi
- November 3, 2021
- Remediation deadline (US Federal)i
- May 3, 2022(overdue)
Apply updates per vendor instructions.
PlaySMS contains a server-side template injection vulnerability that allows for remote code execution.
Related vulnerabilities
A type juggling vulnerability in the component /auth/fn.php of PlaySMS v1.4.5 and earlier allows attackers to ...
playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of cor...
import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involvin...
PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. se...
Multiple directory traversal vulnerabilities in playSMS 0.9.3 allow remote attackers to include and execute ar...