CVE-2018-19290

Name of the Vulnerable Software and Affected Versions Budabot versions 0.6 through 4.0

Description The issue allows remote attackers to perform a command injection attack against the PHP daemon with a crafted command. This can result in a denial of service or possibly other unspecified impacts. For example, the command "!calc 5 x 5" can be used to demonstrate the issue. The vulnerable code is located in different files depending on the version: in versions before 3.0, it is in modules/HELPBOT MODULE/calc.php, and in versions 3.0 and above, it is in modules/HELPBOT MODULE/HelpbotController.class.php.

Recommendations For versions 0.6 through 2.x, consider disabling the calc.php file in the modules/HELPBOT MODULE directory until a patch is available. For versions 3.0 through 4.0, consider disabling the HelpbotController.class.php file in the modules/HELPBOT MODULE directory until a patch is available. Restrict access to the !calc command in the affected API endpoint until the issue is resolved.