Websecnl

**Name of the Vulnerable Software and Affected Versions** QuickBox Pro versions 2.5.8 and below **Description** The issue allows for remote code execution due to a variable in the config.php file that takes a GET parameter value and parses it into a `shell exec()` function without properly sanitizing shell arguments. As the media server runs as root by default, attackers can use the `sudo` command within this `shell exec()` function, enabling privilege escalation through remote code execution. **Recommendations** For versions 2.5.8 and below, consider disabling the `shell exec()` function in the config.php file until a patch is available to prevent remote code execution. Restrict access to the config.php file to minimize the risk of exploitation. Avoid using the `sudo` command within the `shell exec()` function in the affected versions.