CVE-2021-26753

Name of the Vulnerable Software and Affected Versions NeDi version 1.9C

Description The issue allows an authenticated user to inject PHP code in the System Files function on the endpoint "/System-Files.php" via the txt HTTP POST parameter. This enables an attacker to obtain access to the operating system where NeDi is installed and to all application data.

Recommendations For NeDi version 1.9C, as a temporary workaround, consider disabling access to the "/System-Files.php" endpoint until a patch is available. Restrict the use of the txt parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.