A command injection can be achieved by any user that can edit a PHPWiki page in a project.
An attacker could use this vulnerability to execute code on the server as the codendiadm user.
CVSSv3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Create a PHPWiki page and put something like <?plugin SyntaxHighlighter syntax=";id" a ?> in it.
The CVE ID CVE-2017-7981 has been attributed to this vulnerability.
Thank you to Ben Nott (firstname.lastname@example.org) to report and coordinate with us the disclosure of this vulnerability.