Primary

Context

Hzmanyun Education and Training System Command Injection Vulnerability Leading to Remote Code Execution

Vulnerability

A critical command injection vulnerability has been identified in version 2.1 of the Hzmanyun Education and Training System. The issue arises in the 'exportPDF' function within the '/user/exportPDF' endpoint, where improper handling of the 'id' parameter allows for the injection of arbitrary commands. This vulnerability can be exploited remotely, potentially leading to unauthorized command execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the potential for a complete system compromise.

Reproduction

To reproduce this vulnerability, send a request to the '/user/exportPDF' endpoint with a crafted 'id' parameter that includes injected commands. The server will execute the injected commands due to the command injection vulnerability, leading to unauthorized command execution.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.5

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.5

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hzmanyun Education and Training System Command Injection Vulnerability Leading to Remote Code Execution

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating