CVE-2018-9246 Information

Description

The PGObject::Util::DBAdmin module before 0.120.0 for Perl as used in LedgerSMB through 1.5.x insufficiently sanitizes or escapes variable values used as part of shell command execution resulting in shell code injection via the create() run_file() backup() or restore() function. The vulnerability allows unauthorized users to execute code with the same privileges as the running application.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://archive.ledgersmb.org/ledger-smb-announce/msg00280.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8