CVE-2018-16320

idreamsoft iCMS 7.0.11 allows admincp.php?app=config Directory Traversal, resulting in execution of arbitrary PHP code from a ZIP file.