CVE-2021-4466

IPCop <= 2.1.9 Authenticated RCE

CVSS 8.7 HIGHEPSS 0.5%CWE-78

IPCop versions up to and including 2.1.9 contain an authenticated remote code execution vulnerability within the web-based administration interface. The email configuration component inserts user-controlled values, including the EMAIL_PW parameter, directly into system-level operations without proper input sanitation. By modifying the email password field to include shell metacharacters and issuing a save-and-test-mail action, an authenticated attacker can execute arbitrary operating system commands with the privileges of the web interface, resulting in full system compromise.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Produtos afetados

IPCop Project · IPCop

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://sourceforge.net/projects/ipcop/https://www.exploit-db.com/exploits/50183 https://www.ipcop.org/https://www.vulncheck.com/advisories/ipcop-authenticated-rce