inoERP form personalization module command execution

Added: 10/28/2020

Background

inoERP is an open source web based enterprise management system.

Problem

A vulnerability in the form_personalization module allows remote, unauthenticated attackers to execute arbitrary PHP code injected in the template_code parameter.

Resolution

No fix is available at the time of this writing. Do not use inoERP, or restrict access to the web interface so it is only accessible by trusted users.

References

https://lyhinslab.org/index.php/2020/03/14/inoerp-ab-rce/

Platforms

Linux

Back to exploit index