CVE-2021-44981

moderate-risk
Published 2022-01-24

In QuickBox Pro v2.5.8 and below, the config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible. Additionally, as the media server is running as root by default attackers can use the sudo command within this shell_exec(''); function, which allows for privilege escalation by means of RCE.

Do I need to act?

~
7.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (2)

Quickbox
Quickbox

Affected Vendors

Quickbox

References (4)

Issue Tracking https://github.com/QuickBox/QB/issues/202
Exploit https://websec.nl/blog/61b2b37a43a1155c848f3b08/websec%20finds%20critical%20vuln...
Issue Tracking https://github.com/QuickBox/QB/issues/202
Exploit https://websec.nl/blog/61b2b37a43a1155c848f3b08/websec%20finds%20critical%20vuln...
46
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 9/34 · Low
Exposure 7/34 · Low