LUCY Security Awareness Software through 4.7.x allows unauthenticated remote code execution because the Migration Tool (in the Support section) allows upload of .php files within a system.tar.gz file. The .php file becomes accessible with a public/system/static URI.
References
Link | Resource |
---|---|
https://abuyv.com/cve/lucy-file-upload-RCE | Exploit Third Party Advisory |
Configurations
History
No history.
Information
Published : 2021-03-11 07:15
Updated : 2024-02-28 18:08
NVD link : CVE-2021-28132
Mitre link : CVE-2021-28132
CVE.ORG link : CVE-2021-28132
JSON object : View
Products Affected
lucysecurity
- security_awareness
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')