CVE-2021-45281
- EPSS 0.24%
- Veröffentlicht 07.02.2022 22:15:08
- Zuletzt bearbeitet 21.11.2024 06:32:03
QuickBox Pro v2.4.8 contains a cross-site scripting (XSS) vulnerability at "adminuseredit.php?usertoedit=XSS", as the user supplied input for the value of this parameter is not properly sanitized.
- EPSS 7.06%
- Veröffentlicht 24.01.2022 13:15:08
- Zuletzt bearbeitet 21.11.2024 06:31:46
In QuickBox Pro v2.5.8 and below, the config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible. Additio...
- EPSS 0.38%
- Veröffentlicht 01.06.2020 18:15:11
- Zuletzt bearbeitet 21.11.2024 05:01:45
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or ...
- EPSS 45%
- Veröffentlicht 01.06.2020 16:15:14
- Zuletzt bearbeitet 21.11.2024 05:01:17
QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter.
- EPSS 0.44%
- Veröffentlicht 01.06.2020 16:15:14
- Zuletzt bearbeitet 21.11.2024 05:01:45
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute arbitrary OS commands via the mysql -e option.