VYPR
← All advisories
Critical severity9.8NVD Advisory· Published Aug 21, 2017· Updated May 13, 2026

CVE-2017-11366

CVE-2017-11366

Description

components/filemanager/class.filemanager.php in Codiad before 2.8.4 is vulnerable to remote command execution because shell commands can be embedded in parameter values, as demonstrated by search_file_type.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
codiad/codiadPackagist
< 2.8.32.8.3

Patches

1
ca5089eeba42

Merge pull request #1013 from cheiff/master

https://github.com/Codiad/CodiaddaeksJul 25, 2017via ghsa
commit
1 file changed · +3 3
  • components/filemanager/class.filemanager.php+3 3 modified
    @@ -57,7 +57,7 @@ public function __construct($get, $post, $files)
             $this->rel_path .= "/";
         }
         if (!empty($get['query'])) {
-            $this->query = $get['query'];
+            $this->query = escapeshellarg($get['query']);
         }
         if (!empty($get['options'])) {
             $this->foptions = $get['options'];
@@ -71,10 +71,10 @@ public function __construct($get, $post, $files)
         }
         // Search
         if (!empty($post['search_string'])) {
-            $this->search_string = $post['search_string'];
+            $this->search_string = escapeshellarg($post['search_string']);
         }
         if (!empty($post['search_file_type'])) {
-            $this->search_file_type = $post['search_file_type'];
+            $this->search_file_type = escapeshellarg($post['search_file_type']);
         }
         // Create
         if (!empty($get['type'])) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.