Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-6655-8f3g-xp52

Опубликовано: 02 июл. 2025
Источник: github
Github: Не прошло ревью
CVSS4: 10

Описание

An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process.

An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process.

EPSS

Процентиль: 99%
0.76776
Высокий

10 Critical

CVSS4

Дефекты

CWE-78

Связанные уязвимости

nvd
около 1 месяца назад

An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process.

EPSS

Процентиль: 99%
0.76776
Высокий

10 Critical

CVSS4

Дефекты

CWE-78