CVE-2023-27037
Description
Remote code execution in QiboCMS v7 via eval injection in the Get_Title function at label_set_rs.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remote code execution in QiboCMS v7 via eval injection in the Get_Title function at label_set_rs.php.
Vulnerability
The vulnerability resides in the Get_Title function within label_set_rs.php of QiboCMS v7. The function accepts a $format array, and if the key $format['eval_code'] is set, its value is passed directly to eval() without any sanitization [1]. Additionally, $format['sql'] and $format['sql2'] are evaluated if they contain $GLOBALS[ [1]. This allows an attacker to inject arbitrary PHP code. The affected version is QiboCMS v7.
Exploitation
An attacker must be able to control the $format parameter passed to Get_Title. This can be achieved by crafting a request that sets the eval_code key to arbitrary PHP code. The code is then executed in the context of the application, requiring no authentication if the vulnerable endpoint is accessible [1].
Impact
Successful exploitation results in remote code execution (RCE), enabling the attacker to execute arbitrary PHP commands on the server. This can lead to full compromise of the CMS, data exfiltration, and potential lateral movement within the network.
Mitigation
As of the publication date (2023-03-16), no official patch has been released. Users should restrict access to the vulnerable endpoint, apply strict input validation, and consider upgrading to a supported version if QiboCMS v7 is end-of-life. No workaround is provided in the available references [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Get_Title function in label_set_rs.php improperly uses eval() on user-controlled input within the eval_code parameter."
Attack vector
An attacker can exploit this vulnerability by manipulating the `lid` parameter to target a specific label entry. By updating the `code` field of a `qb_label` entry to include malicious PHP code within the `eval_code` parameter and setting `typesystem` to 1 and `type` to 'code', the attacker can achieve remote code execution when the Get_Title function is invoked with this modified label [ref_id=1]. The attacker can then visit a specific URL to trigger the execution of the injected code, for example, to run the `whoami` command [ref_id=1].
Affected code
The vulnerability lies within the Get_Title function in the file label_set_rs.php. Specifically, the code processes the `eval_code` parameter, which can be controlled by an attacker through database manipulation of the `qb_label` table [ref_id=1]. The `js.php` file also plays a role by including and executing cached files that might contain the malicious code.
What the fix does
The provided bundle does not contain information about a patch or specific remediation steps. The advisory indicates that the vulnerability is present in QiboCMS v7 and affects the Get_Title function at label_set_rs.php, but does not detail how the vulnerability is fixed.
Preconditions
- inputThe attacker must be able to modify the `qb_label` table, specifically the `code`, `typesystem`, and `type` fields for a given `lid` [ref_id=1].
- inputThe `format[SYS]` parameter must not be 'CMS' and `format[sql2]` and `format[tplpart_2code]` must be true for the code to reach the vulnerable `eval()` call [ref_id=1].
Reproduction
1. Update a `qb_label` entry (e.g., with `lid=741`) by setting its `code` field to 'a:6:{s:13:"tplpart_1code";s:4:"test";s:13:"tplpart_2code";s:4:"test";s:3:"SYS";s:7:"artcile";s:9:"eval_code";s:17:"system("whoami");";s:3:"sql";s:24:"select * from qb_article";s:4:"sql2";b:1;}' and setting `typesystem=1` and `type='code'`. 2. Visit the affected URL, ensuring the parameters trigger the `Get_Title` function with the modified label data. This should result in the execution of the injected `system("whoami");` command.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.