LocalTapiola: RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi)

Summary: the "/system/images" URL accepts a Base-64 encoded string, which is in turn used to convert images from the local disk before displaying them to the user. The website fails to validate the user input, allowing arbitrary bash command injection. Description: When surfing the...