CVE-2021-44981

Name of the Vulnerable Software and Affected Versions QuickBox Pro versions 2.5.8 and below

Description The issue allows for remote code execution due to a variable in the config.php file that takes a GET parameter value and parses it into a shell exec() function without properly sanitizing shell arguments. As the media server runs as root by default, attackers can use the sudo command within this shell exec() function, enabling privilege escalation through remote code execution.

Recommendations For versions 2.5.8 and below, consider disabling the shell exec() function in the config.php file until a patch is available to prevent remote code execution. Restrict access to the config.php file to minimize the risk of exploitation. Avoid using the sudo command within the shell exec() function in the affected versions.