elecV2P Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in elecV2P versions through 3.8.3. The issue arises in the jsfile endpoint, specifically within the runJSFile function of wbjs.js. This vulnerability allows for code injection by exploiting the sJson function's unsafe handling of user-supplied JavaScript content. Attackers can execute arbitrary JavaScript, including system commands, leading to full server compromise. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where elecV2P is running.

Reproduction

To reproduce this vulnerability, send a POST request to the /jsfile endpoint with the following parameters: 'jsname' (a name for the JavaScript file), 'jscontent' (the JavaScript code to be executed), 'type' (set this to 'totest' to trigger the vulnerability), and 'id' (a required parameter). The injected JavaScript code can include commands to be executed on the server, such as using the 'child_process' module to run system commands.