Volerion logoVolerion
Volerion logoVolerion

Xorux LPAR2RRD File Upload Directory Traversal Vulnerability Allowing Remote Code Execution

Vulnerability

A directory traversal vulnerability has been identified in Xorux LPAR2RRD versions through 8.04. This vulnerability allows an authenticated, read-only user to upload a file and manipulate its destination on the local filesystem. Exploiting this flaw can overwrite existing PERL modules within the application, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Xorux LPAR2RRD is running.

Reproduction

To reproduce this vulnerability, an authenticated, read-only user can upload a file through the application's upgrade feature. The file upload request must be crafted to include a directory traversal payload that specifies a destination within the application's PERL module directory. Once the file is uploaded, it can be executed by calling a specific script through the application's CGI interface, which will trigger the uploaded payload.

Remediation

Users are advised to upgrade to Xorux LPAR2RRD version 8.05, which addresses this vulnerability.

Added: Jul 29, 2025, 12:17 AM
Updated: Jul 29, 2025, 12:17 AM

Vulnerability Rating

Custom Algorithm
spread
0.3
impact
7.5
exploitability
6.2
remediation
7.7
relevance
0.3
threat
6.6
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.