Nick Prater

**Name of the Vulnerable Software and Affected Versions** PGObject::Util::DBAdmin module versions prior to 0.120.0 LedgerSMB versions 1.5.x and earlier **Description** The issue arises from insufficient sanitization or escaping of variable values used in shell command execution. This results in shell code injection via functions such as create(), run file(), backup(), or restore(). The problem allows unauthorized users to execute code with the same privileges as the running application. **Recommendations** For PGObject::Util::DBAdmin module versions prior to 0.120.0, update to version 0.120.0 or later to resolve the issue. For LedgerSMB versions 1.5.x and earlier, consider disabling the create(), run file(), backup(), or restore() functions until a patched version is available. Restrict access to these functions to minimize the risk of exploitation.