CVE-2021-43741
CMSimple 5.4
LFI to Remote Code Execution
Reported by S1lv3r
Description :
Remote Execution exist when post-auth user upload a file using php.session.upload.progress then trigger LFI on config.php
Version :
CMSimple 5.4
Attack Type:
Remote
Impact :
Remote Command Execution
1- Go to Settings :
2-

3- Config.php Content will be :

4- Result

PoC :
https://www.exploit-db.com/exploits/50547
References:
https://www.exploit-db.com/docs/50157
CVE-2021-43741