Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)
Vulnerability Description
Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The `Home > Preference` page exposes a list of system settings such as `Run Mode`, `Jwt Secret`, `Node Secret` and `Terminal Start Command`. While the UI doesn't allow users to modify the `Terminal Start Command` setting, it is possible to do so by sending a request to the API. This issue may lead to authenticated remote code execution, privilege escalation, and information disclosure. This vulnerability has been patched in version 2.0.0.beta.9.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Vulnerability Type
在命令中使用的特殊元素转义处理不恰当(命令注入)
Vulnerability Title
Nginx UI 命令注入漏洞
Vulnerability Description
Nginx UI是Jacky个人开发者的一个 Nginx 的 WebUI。 Nginx UI 2.0.0.beta.9之前版本存在命令注入漏洞,攻击者利用该漏洞可以通过修改 start_cmd设置来执行任意命令。
CVSS Information
N/A
Vulnerability Type
N/A