CVE-2021-28940

Name of the Vulnerable Software and Affected Versions: MagpieRSS version 0.72

Description: The issue arises from an incorrectly escaped exec command in the /extlib/Snoopy.class.inc file. This allows an attacker to add an extra command to the curl binary, creating a problem on the /scripts/magpie debug.php and /scripts/magpie simple.php pages. By sending a specific https URL in the RSS URL field, an attacker can execute arbitrary commands.

Recommendations: For MagpieRSS version 0.72, consider disabling the exec command in the /extlib/Snoopy.class.inc file as a temporary workaround until a patch is available. Restrict access to the /scripts/magpie debug.php and /scripts/magpie simple.php pages to minimize the risk of exploitation. Avoid using the RSS URL field with untrusted input until the issue is resolved.