This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: MajorDoMo has a critical **Remote Code Execution (RCE)** flaw. π **Consequences**: Attackers can inject and execute arbitrary PHP code via GET parameters, leading to full system compromise.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: **CWE-94** (Code Injection). The bug stems from an **include order error** in `modules/panel.class.php`.β¦
π **Affected**: Users of the **MajorDoMo** open-source DIY smart home automation platform. π·οΈ **Vendor**: sergejey. Specifically, the admin panel's PHP console logic is vulnerable.
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: Unauthenticated attackers can execute **arbitrary PHP code**.β¦
π **Public Exploit**: **Yes**. A Nuclei template is available on GitHub (projectdiscovery/nuclei-templates). π **Details**: Crafted GET requests can trigger the `eval()` injection directly.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for the MajorDoMo admin console. Look for unauthenticated access to `inc_panel_ajax.php`.β¦
π§ **No Patch Workaround**: If you cannot patch immediately, **block external access** to the admin panel via firewall rules. π Restrict access to `modules/panel.class.php` and `inc_panel_ajax.php` to trusted IPs only.
Q10Is it urgent? (Priority Suggestion)
β‘ **Urgency**: **CRITICAL**. π¨ CVSS Score is **High** (likely 9.8+). With **no authentication** required and **RCE** capability, this is an immediate threat. Patch or isolate the system **NOW**.