WoltLab
Secure Installer from unauthenticated access
The current Installer of WCF allows the usage of an external Database Server, without proofing if the installing user is the owner of this Database Server. This can result in overtaking the webspace (install the WCF with external database > login as admin > install plugin with webshell > access to OS), if the user just uploads the Installer, but does not install the WCF or is just doing it.
Other CMS like Joomla (see https://nvd.nist.gov/vuln/detail/CVE-2017-11364) have already reacted and implemented additional checks, like writing a file that a user must delete in order to continue the installation, if he uses an external database server (see https://docs.joomla.org/J3.x:Secured_procedure_for_installing_Joomla_with_a_remote_database).
More information about this issue can be found here: https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Hanno-Boeck-Abusing-Certificate-Transparency-Logs-UPDATED.pdf
Another reference, which describes how this issue is automatically exploited for Wordpress instances: https://smitka.me/2022/07/01/wordpress-installer-attack-race/