OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.7, an OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field. Version 10.0.7 fixes the vulnerability.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

OneUptime 操作系统命令注入漏洞

OneUptime是OneUptime开源的一个全面的解决方案。用于监控和管理您的在线服务。 OneUptime 10.0.7之前版本存在操作系统命令注入漏洞，该漏洞源于NetworkPathMonitor.performTraceroute()中存在操作系统命令注入漏洞，允许任何经过身份验证的项目用户通过向监视器的目标字段注入shell元字符在探针服务器上执行任意操作系统命令。

N/A

N/A