| Título | Qualitor Qualitor Web 8.20/8.24 Code Injection |
|---|
| Descrição | Critical Code Injection vulnerability in Qualitor Web version 8.20/8.20 BD 206. The file /html/st/stdeslocamento/request/getResumo.php uses the eval() function execute the content of the passageiros parameter received via $_REQUEST without proper validation. Despite the presence of a sanitizeEval() function, the sanitization is insufficient to prevent code injection.
This vulnerability allows unauthenticated attackers to inject arbitrary PHP code that will be executed directly on the server. Through this injection, attackers can escalate to Remote Code Execution (RCE) using functions such as system(), exec(), passthru(), or shell_exec(), enabling the execution of operating system commands, establishment of reverse shells, unauthorized access and modification of sensitive data including configuration files and databases, lateral movement within the network, and potentially complete compromise of the affected server. |
|---|
| Fonte | ⚠️ https://www.youtube.com/watch?v=hU8YbFc6KpI |
|---|
| Utilizador | mtzsec (UID 52162) |
|---|
| Submissão | 07/11/2025 20h19 (há 8 meses) |
|---|
| Moderação | 29/11/2025 21h36 (22 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 333796 [Qualitor até 8.20.104/8.24.97 getResumo.php eval passageiros Elevação de Privilégios] |
|---|
| Pontos | 17 |
|---|