Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HaxCMS-PHP Command Injection Vulnerability
Vulnerability Description
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `proc_open`, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the `filter_var` and `strpos` functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
HAX 操作系统命令注入漏洞
Vulnerability Description
HAX是HAX The Web开源的一个HAX+CMS使用PHP后端管理的微型网站。 HAX 11.0.3之前版本存在操作系统命令注入漏洞,该漏洞源于用户输入验证不足,可能导致OS命令注入。
CVSS Information
N/A
Vulnerability Type
N/A