CVE-2021-42897

Name of the Vulnerable Software and Affected Versions FeMiner wms version V1.0

Description A remote command execution issue was found in FeMiner wms. The vulnerability is located in /wms/src/system/datarec.php, where the r name variable from the $ POST request is directly passed into the $mysqlstr and executed by the exec() function. This allows for potential remote command execution.

Recommendations For FeMiner wms version V1.0, consider disabling the exec() function in the /wms/src/system/datarec.php file until a patch is available. Additionally, restrict access to the datarec.php file to minimize the risk of exploitation. Avoid using the r name variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.