[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [Full Disclosure] CVE-2024-22900: Unpatched Command Injection in Vinchin Backup and Recovery Ve
From: Balgogan via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2024-01-25 19:18:35
Message-ID: _0_gchQgbYiSxPMk4ZJRkh6hQ1rTGpF1IUOqbEZEugHHeWCy3TSel8mcz13fgv7h5rIL7k5jauCNVzub61H2ooKVKHouXg_OxKy8yMTsRUc= () protonmail ! com
[Download RAW message or body]
CVE ID: CVE-2024-22900
Title: Command Injection Vulnerability in Vinchin Backup and Recovery Versions 7.2 and Earlier
Description:
A critical security vulnerability, identified as CVE-2024-22900, has been discovered in Vinchin \
Backup and Recovery software, affecting versions 7.2 and earlier. The vulnerability is present \
in the `setNetworkCardInfo` function, which is intended to update network card information.
Details:
1. The function collects the `NAME` parameter from the user request and assigns it to a \
variable `$name`. 2. The `NAME` parameter value is then used to construct a file path in the \
`setNetworkCardInfo` function, leading to potential command injection. 3. The vulnerability \
arises from the use of user-supplied input in system commands without proper validation and \
sanitization.
Impact:
This vulnerability allows an attacker to inject arbitrary commands via the `NAME` parameter, \
potentially leading to unauthorized access or control over the affected system.
Current Status:
As of the current date, there is no known patch available for this vulnerability. Users of \
Vinchin Backup and Recovery versions 7.2 and earlier are at risk.
Recommendation:
It is strongly recommended that users of the affected software versions remain vigilant and \
monitor Vinchin's updates for a security patch. Upon release of a patch, users should \
prioritize updating their systems to mitigate this security risk.
Signed,Valentin Lobstein
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic