{"id":"CVE-2019-9082","details":"ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.","modified":"2026-03-15T14:35:55.875735Z","published":"2019-02-24T18:29:00.207Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-9082"},{"type":"REPORT","url":"https://github.com/xiayulei/open_source_bms/issues/33"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/46488/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/top-think/thinkphp","events":[{"introduced":"0"},{"fixed":"728c0fc21e9b438b930b916a8257a25ea9ffaf79"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.2.4"}]}},{"type":"GIT","repo":"https://github.com/xiayulei/open_source_bms","events":[{"introduced":"0"},{"last_affected":"9c65010617e3545c99de0ec37defc2a5211024de"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.1.1"}]}}],"versions":["3.1.0","3.1.2","3.1.3","3.2.0","3.2.1","3.2.2","3.2.3","v1.1","v1.1.1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.6.1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9082.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}