CVE-2020-13694

In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute arbitrary OS commands via the mysql -e option.
References
Link Resource
https://s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/ Exploit Third Party Advisory
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:quickbox:quickbox:*:*:*:*:community:*:*:*

Configuration 2 (hide)

cpe:2.3:a:quickbox:quickbox:*:*:*:*:pro:*:*:*

Information

Published : 2020-06-01 09:15

Updated : 2020-06-02 07:08


NVD link : CVE-2020-13694

Mitre link : CVE-2020-13694


JSON object : View

CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Advertisement

dedicated server usa

Products Affected

quickbox

  • quickbox