lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the fileName POST parameter.
Threat-Mapped Scoring
Score: 0.0
Priority: Unclassified
EPSS
Score: 0.9106 Percentile:
0.99617
CVSS Scoring
CVSS v3.1 Score: 8.8
Severity: HIGH
KEV is present
Mapped CWE(s)
CWE-78
: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
All CAPEC(s)
CAPEC-108: Command Line Execution through SQL Injection