Jc21

**Name of the Vulnerable Software and Affected Versions** NginxProxyManager version 2.11.3 **Description** A command injection issue exists in the `requestLetsEncryptSsl` function of NginxProxyManager. This allows a remote attacker to execute arbitrary commands by adding a specially crafted Let's Encrypt certificate. The issue is related to insufficient data sanitization on the management level. Exploitation can lead to Remote Code Execution (RCE). **Recommendations** NginxProxyManager version 2.11.3: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: NginxProxyManager version 2.11.3 Description: A command injection vulnerability in the `requestLetsEncryptSslWithDnsChallenge` function allows an attacker to achieve remote code execution via the "Add Let's Encrypt Certificate" feature. This issue is related to inadequate data sanitization at the management level, which can be exploited to execute arbitrary commands. Recommendations: For NginxProxyManager version 2.11.3, consider disabling the `requestLetsEncryptSslWithDnsChallenge` function until a patch is available to prevent remote code execution. Restrict access to the "Add Let's Encrypt Certificate" feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.