CVE-2021-44981

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-44981
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-44981.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-44981
Published
2022-01-24T13:15:08.177Z
Modified
2026-03-13T00:40:45.554922Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In QuickBox Pro v2.5.8 and below, the config.php file has a variable which takes a GET parameter value and parses it into a shellexec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible. Additionally, as the media server is running as root by default attackers can use the sudo command within this shellexec(''); function, which allows for privilege escalation by means of RCE.

References

Affected packages

Git / github.com/quickbox/qb

Affected ranges

Type
GIT
Repo
https://github.com/quickbox/qb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
3f4b2839b8a8cb7c3f17eaa3c59650f21516840b
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
3f4b2839b8a8cb7c3f17eaa3c59650f21516840b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.5.8"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.5.8"
        }
    ]
}

Affected versions

v2.*
v2.4.9
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-44981.json"