CVE-2019-25441

EUVD-2019-19607
thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
kostasmitroglouthesystem
1.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/kostasmitroglou/thesystem
https://www.exploit-db.com/exploits/47441
https://www.vulncheck.com/advisories/thesystem-command-injection-via-runcommand-endpoint