elecV2 elecV2P Remote Command Injection Vulnerability

A remote code execution vulnerability has been identified in elecV2 elecV2P versions through 3.8.3. The issue arises in the 'pm2run' method of the '/rpc' endpoint, which lacks authentication and improperly sanitizes input. This flaw allows for OS command injection, as demonstrated by a proof-of-concept that successfully executed a command to read the '/etc/passwd' file.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the server where elecV2P is running.

Reproduction

To reproduce this vulnerability, send a POST request to the '/rpc' endpoint with the 'pm2run' method. Include a payload in the 'params' array that consists of a command to be executed on the server, such as 'cat /etc/passwd'. The response will include the output of the executed command, confirming the successful exploitation of the vulnerability.