Zanfi CMS Lite index.php inc Variable Arbitrary Command Execution
Remote / Network Access
Loss of Integrity
ZanfiCmsLite contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the index.php script not properly sanitizing input to the "inc" variable. An attacker may use this to include an arbitrary file from a remote server which will be processed and any commands executed.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.