Givanz Vvveb Code Injection Vulnerability in Code Editor Component

A critical code injection vulnerability has been identified in Givanz Vvveb version 1.0.5. The issue resides in the Code Editor component, specifically within the 'Save' function of 'admin/controller/editor/code.php'. This vulnerability allows authenticated administrators to inject malicious code, which could be executed remotely, potentially leading to unauthorized access or control over the server.

Impact

Exploitation of this vulnerability allows for code injection, which could be used to execute arbitrary code on the server. In this case, it has been demonstrated to allow for a reverse shell connection, providing full control over the affected system.

Reproduction

To reproduce this vulnerability, an authenticated admin must access the Vvveb admin panel and navigate to the code editor module. From there, PHP files can be edited without proper validation. By injecting a reverse shell payload into a theme PHP file and saving the changes, the injected code can be executed, establishing a reverse shell connection to the server.

Remediation

Users are advised to upgrade to Givanz Vvveb version 1.0.6, which addresses this vulnerability.