| 제목 | Qualitor Qualitor Web 8.20/8.24 Code Injection |
|---|
| 설명 | Critical Code Injection vulnerability in Qualitor Web version 8.20/8.20 BD 206. The file /html/st/stdeslocamento/request/getResumo.php uses the eval() function execute the content of the passageiros parameter received via $_REQUEST without proper validation. Despite the presence of a sanitizeEval() function, the sanitization is insufficient to prevent code injection.
This vulnerability allows unauthenticated attackers to inject arbitrary PHP code that will be executed directly on the server. Through this injection, attackers can escalate to Remote Code Execution (RCE) using functions such as system(), exec(), passthru(), or shell_exec(), enabling the execution of operating system commands, establishment of reverse shells, unauthorized access and modification of sensitive data including configuration files and databases, lateral movement within the network, and potentially complete compromise of the affected server. |
|---|
| 원천 | ⚠️ https://www.youtube.com/watch?v=hU8YbFc6KpI |
|---|
| 사용자 | mtzsec (UID 52162) |
|---|
| 제출 | 2025. 11. 07. PM 08:19 (8 개월 ago) |
|---|
| 모더레이션 | 2025. 11. 29. PM 09:36 (22 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 333796 [Qualitor 까지 8.20.104/8.24.97 getResumo.php eval passageiros 권한 상승] |
|---|
| 포인트들 | 17 |
|---|