Mako Server v2.5 and v2.6 OS Command Injection via examples/save.lsp

An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments.

N/A

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Real Time Logic Mako Server 操作系统命令注入漏洞

Real Time Logic Mako Server是美国Real Time Logic公司的一个基于Lua的轻量级的Web框架。 Real Time Logic Mako Server 2.5版本和2.6版本存在安全漏洞，该漏洞源于examples/save.lsp端点中的命令注入问题，可能导致远程代码执行。

N/A

N/A