MegaSys Telenium Online Web Application OS Command Injection Vulnerability Allowing Remote Code Execution
Vulnerability
A vulnerability has been identified in the MegaSys Telenium Online Web Application, specifically in versions through 8.4.21. The issue arises from a PHP endpoint that is accessible to unauthenticated users. This endpoint improperly processes user-supplied input, allowing for the injection of arbitrary operating system commands via a crafted HTTP request. The vulnerability stems from an insecure regular expression validation, which fails to adequately sanitize the input. Exploitation of this flaw could lead to remote code execution on the server, executed under the web application service account.
Impact
Successful exploitation allows for arbitrary operating system command injection, leading to remote code execution on the server in the context of the web application service account.
Remediation
Users are advised to visit the MegaSys support page for instructions on applying the available fix.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.