| 제목 | Kodbox 1.64 Command Injection |
|---|
| 설명 | KodBox’s fileThumb plugin contains a post-auth command injection vulnerability in the normal video preview path. The configurable ffmpegBin value is inserted directly into a shell_exec() command in parseVideoInfo() without proper validation or escaping. As a result, an authenticated user with plugin configuration rights can inject arbitrary shell commands and trigger their execution simply by clearing the FFmpeg cache and requesting a video preview.
|
|---|
| 원천 | ⚠️ https://vulnplus-note.wetolink.com/share/R0hHqwMywhsm |
|---|
| 사용자 | vulnplusbot (UID 96250) |
|---|
| 제출 | 2026. 04. 22. PM 12:36 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 16. PM 06:23 (24 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 364380 [kalcaddle Kodbox 까지 1.64 fileThumb Plugin VideoResize.class.php parseVideoInfo ffmpegBin 권한 상승] |
|---|
| 포인트들 | 20 |
|---|