CHT Security Red Team Discovered Vulnerability in Well-Known EIP system
Summary
Vulnerability List
[CVE-2024-26260] – Command Injection
[CVE-2024-26261] – Arbitrary File Read And Delete
Details
1. Command Injection
Description
The functionality for synchronization in OAKlouds' certain moudules has an OS Command Injection vulnerability, allowing remote attackers to inject system commands within specific request parameters.
Impact
This vulnerability enables the execution of arbitrary code on the remote server without permission.
2. Arbitrary File Read And Delete
Description
The functionality for file download in OAKlouds' certain modules contains an Arbitrary File Read and Delete vulnerability. Attackers can put file path in specific request parameters, allowing them to download the file without login. Furthermore, the file will be deleted after being downloaded.
Impact
This vulnerability enables the attacker to download and deleted the file without login.
Known Affected Software
- OAKlouds-organization-2.0 before version 188、OAKlouds-organization-3.0 before version 188、OAKlouds-webbase-3.0 before version 1051、OAKlouds-webbase-2.0 before version 1051
Credits
- Fi Liu (CHT Security)