Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution.
The DB::prepare() function responsible for preparing SQL queries uses a preg_replace() call with the /e modifier, which in PHP causes evaluation of the matched expression as PHP code (eval). An attacker can supply crafted input data that will be injected as SQL query parameters and then interpreted and executed as PHP code by the eval mechanism. As a result, this leads to a combination of SQL injection (CWE-89) and arbitrary code execution (CWE-94) in a single attack vector.
An attacker without any authentication can execute arbitrary PHP code on the server (RCE), which in practice means complete takeover of the system, data theft or modification, as well as the possibility of lateral movement within the internal network.
Patches available from the vendor should be applied according to the references. As a remedial measure, disabling or isolating the Saurus CMS instance from public access should be immediately considered until the patch is applied. The /e modifier in preg_replace() is deprecated and removed in newer PHP versions — verification of the PHP environment configuration may limit exploitation.
Saurus CMS Community Edition version 4.7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H