Dinhtwan

**Name of the Vulnerable Software and Affected Versions** Allsky WebUI version v2024.12.06 06 **Description** A path traversal flaw exists in Allsky WebUI version v2024.12.06 06 that permits an unauthenticated remote attacker to execute commands on the system. This is achieved by submitting a specially crafted HTTP request to the `/html/execute.php` API endpoint, utilizing a malicious payload within the `id` parameter. Successful exploitation results in arbitrary command execution, potentially leading to full remote code execution (RCE). **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the `/html/execute.php` endpoint. Avoid using the `id` parameter in the affected API endpoint until the issue is resolved.