PT-2020-13653 · Quickbox+1 · Quickbox Community Edition+2

Published

2020-06-01

Updated

2021-07-21

CVE-2020-13695

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions QuickBox Community Edition versions 2.5.5 and earlier QuickBox Pro Edition versions 2.1.8 and earlier

Description The issue allows an attacker to obtain sensitive information by exploiting the local www-data user's sudo privileges to execute grep as root without a password. This can be done via a grep of a /root/*.db or /etc/shadow file.

Recommendations For QuickBox Community Edition versions 2.5.5 and earlier, remove the sudo privileges for the www-data user to execute grep as root without a password. For QuickBox Pro Edition versions 2.1.8 and earlier, remove the sudo privileges for the www-data user to execute grep as root without a password.

Exploit

Fix

Improper Privilege Management

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-306

Related Identifiers

CVE-2020-13695

Affected Products

Quickbox Community Edition

Quickbox Pro Edition

Grep

PT-2020-13653 · Quickbox+1 · Quickbox Community Edition+2

CVE-2020-13695

Weakness Enumeration

Related Identifiers

Affected Products

References · 3