| عنوان | Qualitor Qualitor Web 8.20/8.24 Code Injection |
|---|
| الوصف | Critical Code Injection vulnerability in Qualitor Web version 8.20/8.20 BD 206. The file /html/st/stdeslocamento/request/getResumo.php uses the eval() function execute the content of the passageiros parameter received via $_REQUEST without proper validation. Despite the presence of a sanitizeEval() function, the sanitization is insufficient to prevent code injection.
This vulnerability allows unauthenticated attackers to inject arbitrary PHP code that will be executed directly on the server. Through this injection, attackers can escalate to Remote Code Execution (RCE) using functions such as system(), exec(), passthru(), or shell_exec(), enabling the execution of operating system commands, establishment of reverse shells, unauthorized access and modification of sensitive data including configuration files and databases, lateral movement within the network, and potentially complete compromise of the affected server. |
|---|
| المصدر | ⚠️ https://www.youtube.com/watch?v=hU8YbFc6KpI |
|---|
| المستخدم | mtzsec (UID 52162) |
|---|
| ارسال | 07/11/2025 08:19 PM (8 أشهر منذ) |
|---|
| الاعتدال | 29/11/2025 09:36 PM (22 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 333796 [Qualitor حتى 8.20.104/8.24.97 getResumo.php eval passageiros تجاوز الصلاحيات] |
|---|
| النقاط | 17 |
|---|