Mücahit Saratar

**Name of the Vulnerable Software and Affected Versions** IPCop versions up to and including 2.1.9 **Description** IPCop versions up to and including 2.1.9 have an issue allowing authenticated remote code execution within the web-based administration interface. The email configuration component inserts user-controlled values, including the `EMAIL PW` parameter, directly into system-level operations without proper input sanitation. An attacker can execute arbitrary operating system commands with the privileges of the web interface by modifying the email password field to include shell metacharacters and issuing a save-and-test-mail action, potentially leading to full system compromise. **Recommendations** Update to a version later than 2.1.9.