2 matches found
CVE-2020-35729
Klog Server 2.4.1 and earlier versions are affected by an unauthenticated command injection in authenticate.php. The vulnerability uses the user parameter, passed to shell_exec(), allowing arbitrary commands as the apache user; the sudoers setup can grant root privileges, enabling full system com...
CVE-2021-3317
KLog Server up to version 2.4.1 is affected by an authenticated command injection vulnerability. The issue arises in async.php, where the source parameter is passed to shell_exec() without proper input validation, allowing an attacker with valid credentials to execute arbitrary commands on the se...