Critical Vulnerability Information Vulnerability Type OS Command Injection (Blind Time-Based) Affected Versions <= 3.4.1 Fixed Version 3.4.2 Severity Critical (9.8 / 10) Vulnerability Description An OS command injection vulnerability exists in the endpoint. The parameter is not properly sanitized before being concatenated into a shell command and executed. Attackers can execute arbitrary commands on the server by sending a POST request containing special characters, thereby gaining command execution privileges under the web server user account. Initial Exploit Request Example PoC (Proof of Concept) 1. Attack Command - Use the tool to inject an command to create a new HTML file. 2. Verification - After executing the command, access the generated file via browser: Impact Confidentiality: Attackers can read sensitive files on the server, including application source code, API keys, and configuration files. Integrity: Modify or delete any files that web data users have write permissions to, leading to website functionality disruption, malicious injection, or application compromise. Availability: Execute resource-intensive commands (CPU, memory) causing Denial of Service (DoS). Pivoting: Use the compromised server as a foothold to attack other systems within the internal network.