Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval
Vulnerability Description
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the ajax handler in inc_panel_ajax.php. The console handler within that file passes user-supplied input from GET parameters (via register_globals) directly to eval() without any authentication check. An attacker can execute arbitrary PHP code by sending a crafted GET request to /admin.php with ajax_panel, op, and command parameters.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
MajorDoMo 代码注入漏洞
Vulnerability Description
MajorDoMo是MajorDoMo社区的一个开源DIY智能家居自动化平台。 MajorDoMo存在代码注入漏洞,该漏洞源于modules/panel.class.php中的包含顺序错误导致执行在缺少exit语句的redirect()调用后继续,允许未经验证的请求到达inc_panel_ajax.php中的ajax处理程序,该处理程序将来自GET参数的用户输入直接传递给eval(),可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A