| Titel | Ruijie EG105G-P 1.40 Command Injection |
|---|
| Beschreibung | An authenticated command injection issue was identified in the Ruijie Reyee
EG105G-P web management interface.
The vulnerable path is the authenticated JSON-RPC diagnose endpoint:
POST /cgi-bin/luci/api/diagnose?auth=<sid>
When the nslookup diagnostic method is called, the user-controlled
params.target value is inserted into a shell command without shell quoting.
Supplying a newline character in params.target causes the shell to execute an
additional command after the intended nslookup command.
The issue was reproduced against a live EG105G-P device by injecting a newline
followed by a curl request to a local HTTP callback listener. The callback was
received from the device IP address, and the diagnose API response included the
callback listener response body. |
|---|
| Quelle | ⚠️ https://github.com/ictrun/java/issues/6 |
|---|
| Benutzer | ictrun (UID 83482) |
|---|
| Einreichung | 14.05.2026 03:29 (vor 1 Monat) |
|---|
| Moderieren | 14.06.2026 09:02 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 370840 [Ruijie EG105G-P 2.340 JSON-RPC Diagnose Endpoint diagnose nslookup params.target erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|