The vulnerability is due to a lack of input validation of user inputs in the Notrinos/NotrinosERP v0.7 installation. The installation script is responsible for parsing the user input and sending it to the vulnerable script. By injecting malicious code in the installation script, an attacker can inject code that will execute with system administrator privileges. An attacker could potentially use this vulnerability to install a malicious extension or theme, which would grant the attacker full access to the Notrinos/NotrinosERP v0.7 installation. A Notrinos/NotrinosERP v0.7 installation that is vulnerable to this issue may be accessible via the following URL: https://[HOST IP]/install/ An attacker could potentially access a Notrinos/NotrinosERP v0.7 installation via the following URL: https://[HOST IP]/install/ Note that the installation script is located in the root of the Notrinos/NotrinosERP v0.7 installation. An attacker could potentially inject malicious code into the installation script, which will execute with system administrator privileges.
Vulnerable script: install/install.php
The vulnerable script is install/install.php. This script will be executed when the installation is complete and it's responsible for parsing the user input and sending it to the vulnerable script, which is install/installer.php in this case.
An attacker could inject malicious code into this script, which would execute with system administrator privileges. By injecting malicious code into this script, an attacker could potentially modify or upload malicious extensions or themes that would grant the attacker full access to the Notrinos/NotrinosERP v0.7 installation.
Vulnerable scripts
The installation script, Notrinos/NotrinosERP.php, is vulnerable to this issue. The installation script will send all of the user input to the vulnerable script, Notrinos/NotrinosERP.php.
Vulnerability Details
Timeline
Published on: 08/21/2022 04:15:00 UTC
Last modified on: 08/23/2022 16:09:00 UTC