CVE-2024-1115

Name of the Vulnerable Software and Affected Versions openBI versions up to 1.0.8

Description A critical issue affects the dlfile function of the file /application/websocket/controller/Setting.php. The manipulation of the argument phpPath leads to os command injection. The attack may be initiated remotely.

Recommendations For openBI versions up to 1.0.8, as a temporary workaround, consider disabling the dlfile function until a patch is available. Restrict access to the /application/websocket/controller/Setting.php file to minimize the risk of exploitation. Avoid using the phpPath argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.