An issue was discovered in UCMS. It allows PHP code injection via the systemdomain parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.
Vulnerability version number:
When in the progress of installing.The systemdomain name control is not strict during installation, which can lead to PHP code executed.
Suggestions for rectification:
Filter user input data.