| tiêu đề | vertex-app vertex up to v2026.02.12 OS Command Injection |
|---|
| Mô tả | This authenticated OS Command Injection vulnerability in Vertex allows Remote Code Execution because the type query parameter is passed directly into execSync() without sanitization in the log viewer endpoint. An attacker can inject shell metacharacters to execute arbitrary system commands under the application's privileges. Furthermore, since Vertex lacks CSRF protection for this action, an attacker can remotely trigger the exploit by deceiving a logged-in administrator into visiting a malicious URL, potentially leading to a full compromise of the host server. |
|---|
| Nguồn | ⚠️ https://gist.github.com/menelausx/e632faba4014474fcef6a1f541ca3e4e |
|---|
| Người dùng | JasperX (UID 97281) |
|---|
| Đệ trình | 03/05/2026 14:59 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 05/06/2026 20:34 (1 month later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 368967 [vertex-app vertex đến 2026.02.12 Log Viewer Endpoint app/model/LogMod.js req.query nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|