| Название | Qualitor Qualitor Web 8.20/8.24 Code Injection |
|---|
| Описание | Critical Code Injection vulnerability in Qualitor Web version 8.20/8.20 BD 206. The file /html/st/stdeslocamento/request/getResumo.php uses the eval() function execute the content of the passageiros parameter received via $_REQUEST without proper validation. Despite the presence of a sanitizeEval() function, the sanitization is insufficient to prevent code injection.
This vulnerability allows unauthenticated attackers to inject arbitrary PHP code that will be executed directly on the server. Through this injection, attackers can escalate to Remote Code Execution (RCE) using functions such as system(), exec(), passthru(), or shell_exec(), enabling the execution of operating system commands, establishment of reverse shells, unauthorized access and modification of sensitive data including configuration files and databases, lateral movement within the network, and potentially complete compromise of the affected server. |
|---|
| Источник | ⚠️ https://www.youtube.com/watch?v=hU8YbFc6KpI |
|---|
| Пользователь | mtzsec (UID 52162) |
|---|
| Представление | 07.11.2025 20:19 (8 месяцы назад) |
|---|
| Модерация | 29.11.2025 21:36 (22 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 333796 [Qualitor до 8.20.104/8.24.97 getResumo.php eval passageiros эскалация привилегий] |
|---|
| Баллы | 17 |
|---|