Lucene search
K

Vinchin Backup And Recovery 7.2 setNetworkCardInfo Command Injection

🗓️ 26 Jan 2024 00:00:00Reported by Valentin LobsteinType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 320 Views

Command Injection Vulnerability in Vinchin Backup and Recovery Versions 7.

Related
Code
`CVE ID: CVE-2024-22900  
  
Title: Command Injection Vulnerability in Vinchin Backup and Recovery Versions 7.2 and Earlier  
  
Description:  
A critical security vulnerability, identified as CVE-2024-22900, has been discovered in Vinchin Backup and Recovery software, affecting versions 7.2 and earlier. The vulnerability is present in the `setNetworkCardInfo` function, which is intended to update network card information.  
  
Details:  
1. The function collects the `NAME` parameter from the user request and assigns it to a variable `$name`.  
2. The `NAME` parameter value is then used to construct a file path in the `setNetworkCardInfo` function, leading to potential command injection.  
3. The vulnerability arises from the use of user-supplied input in system commands without proper validation and sanitization.  
  
Impact:  
This vulnerability allows an attacker to inject arbitrary commands via the `NAME` parameter, potentially leading to unauthorized access or control over the affected system.  
  
Current Status:  
As of the current date, there is no known patch available for this vulnerability. Users of Vinchin Backup and Recovery versions 7.2 and earlier are at risk.  
  
Recommendation:  
It is strongly recommended that users of the affected software versions remain vigilant and monitor Vinchin's updates for a security patch. Upon release of a patch, users should prioritize updating their systems to mitigate this security risk.  
  
Signed,Valentin Lobstein  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation