SB2019071107 - Remote code injection in domokeeper
Published: July 11, 2019
Security Bulletin ID
SB2019071107
Severity
High
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Code Injection (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the path to required module is passed in a HTTP request without any sanitization. A remote attacker can read output of "json" file or execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
PoC:
http://[host]/plugins/.%2Fpackage.json
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.