| Title | Leadshop Leadshop <=1.4.20 Configuration injection vulnerability |
|---|
| Description | The Leadshop software, version 1.4.20 and below, has a pre-authentication configuration injection vulnerability in the 'leadshop.php' file that can lead to Remote Code Execution (RCE). The vulnerability arises from the 'install' function which accepts user-supplied parameters and writes them into the configuration php file. By crafting malicious parameters, such as in the MySQL database password, an attacker can inject arbitrary PHP code into the application's configuration file, leading to RCE when the file is included and executed in the application's context. |
|---|
| Source | ⚠️ https://note.zhaoj.in/share/vLswXhWxUrs8 |
|---|
| User | glzjin (ID 59815) |
|---|
| Submission | 01/19/2024 11:53 (4 months ago) |
|---|
| Moderation | 01/19/2024 13:02 (1 hour later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 251562 |
|---|