| Title | https://github.com/Jrohy https://github.com/Jrohy/trojan v2.15.3 Command Injection |
|---|
| Description | There is a critical command injection (Remote Code Execution, RCE) vulnerability in the /trojan/log endpoint of the jrohy-trojan web interface. The issue arises because user input from the line query parameter is concatenated directly into a shell command without proper sanitization. As a result, remote attackers can inject arbitrary shell commands, leading to full command execution on the server with the privileges of the web service. This allows attackers to compromise the server, steal sensitive data, or further escalate their attack. No authentication is required for exploitation due to CVE-2024-55215, making the vulnerability even more dangerous. |
|---|
| Source | ⚠️ https://github.com/Tritium0041/Jrohy-trojan-RCE-POC |
|---|
| User | Tritium (UID 50779) |
|---|
| Submission | 05/29/2025 10:30 AM (1 month ago) |
|---|
| Moderation | 06/03/2025 02:50 PM (5 days later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 310966 [Jrohy trojan up to 2.15.3 trojan/util/linux.go LogChan c os command injection] |
|---|
| Points | 20 |
|---|