CHT Security Red Team Discovered Vulnerability in Well-Known EIP system

Summary

Vulnerability List

[CVE-2024-26260] – Command Injection

[CVE-2024-26261] – Arbitrary File Read And Delete


Details

1. Command Injection

Description

The functionality for synchronization in OAKlouds' certain moudules has an OS Command Injection vulnerability, allowing remote attackers to inject system commands within specific request parameters. 


Impact

This vulnerability enables the execution of arbitrary code on the remote server without permission. 


2. Arbitrary File Read And Delete

Description

The functionality for file download in OAKlouds' certain modules contains an Arbitrary File Read and Delete vulnerability. Attackers can put file path in specific request parameters, allowing them to download the file without login. Furthermore, the file will be deleted after being downloaded. 


Impact

This vulnerability enables the attacker to download and deleted the file without login. 




Known Affected Software

  • OAKlouds-organization-2.0 before version 188OAKlouds-organization-3.0 before version 188OAKlouds-webbase-3.0 before version 1051OAKlouds-webbase-2.0 before version 1051


Credits

  • Fi Liu (CHT Security)