Skip to content

[GHSA-52jq-ww84-hqvp] A vulnerability has been found in Sanluan PublicCMS up to... #6801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
saivarun3407 wants to merge 1 commit into
base: saivarun3407/advisory-improvement-6801
Choose a base branch
from
+27 −10
Open

[GHSA-52jq-ww84-hqvp] A vulnerability has been found in Sanluan PublicCMS up to... #6801

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 27 additions & 10 deletions advisories/unreviewed/2026/02/GHSA-52jq-ww84-hqvp/GHSA-52jq-ww84-hqvp.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,40 @@
{
"schema_version": "1.4.0",
"id": "GHSA-52jq-ww84-hqvp",
"modified": "2026-02-06T09:30:29Z",
"modified": "2026-02-06T09:30:35Z",
"published": "2026-02-06T09:30:29Z",
"aliases": [
"CVE-2026-2010"
],
"details": "A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 7329437e1288540336b1c66c114ed3363adcba02. It is recommended to apply a patch to fix this issue.",
"summary": "OS command Injection Vulnerability in PublicCMS V5.202506.a and V5.202506.b",
"details": "# Vulnerability in PublicCMS V5.202506.a and V5.202506.b\n\nPublicCMS V5.202506.a and V5.202506.b are vulnerable to an OS Command Injection vulnerability [](https://nvd.nist.gov/vuln/detail/CVE-2025-57516). The system fails to properly sanitize database configuration parameters (database name, username, and password) before passing them to operating system shell scripts (backupDB.bat and backupDB.sh). An attacker can exploit this by using command separators to execute arbitrary code on the underlying server.\n\n- **Versions**: V5.202506.a, V5.202506.b\n\n## Details\n\nThe vulnerability is located in the database backup logic. When a user triggers a script execution via the administration panel, the system constructs a command array to call localized backup scripts.\n\n- **Vulnerability Type**: [CWE-78: Improper Neutralization of Special Elements used in an OS Command](https://cwe.mitre.org/data/definitions/78.html)\n- **Root Cause**: The system directly concatenates the DATABASE, USERNAME, and PASSWORD variables into a command string without neutralizing shell metacharacters such as |, &, or ;.\n- **Execution Flow**:\n 1. The admin interface sysSite/execScript is called.\n 2. The system retrieves database credentials from database.properties.\n 3. These credentials are piped into backupDB.bat (Windows) or backupDB.sh (Linux).\n 4. The shell interprets characters like | as a pipe command, executing the subsequent string as a new system command.\n\n## Proof of Concept (PoC)\n\nAn attacker can trigger this vulnerability during the initial installation or by modifying an existing configuration:\n\n- **Setup Malicious Credential**: During installation, set the database password to include a command separator and the target command.\n- **Example Password**: publiccms|calc\n\n**Trigger Execution:**\n\n1. Log in to the backend.\n2. Navigate to: Site -> Execute Script.\n3. Select backupDB.bat (for Windows) or backupDB.sh (for Linux) and click Execute.\n\n**Result**: The system command (e.g., calc.exe on Windows) will execute with the privileges of the web server.\n\n## Affected Components\n\n- **Product**: PublicCMS\n\n- **Files**: backupDB.bat, backupDB.sh, and the Java controller handling execScript.\n\n## Fix Method\n\nTo remediate this vulnerability, developers should:\n\n- **Input Validation**: Implement a strict allowlist for database names, usernames, and passwords, prohibiting characters like ;, &, |, >, and <.\n- **Parameterized Execution**: Instead of string concatenation, use ProcessBuilder in Java to pass arguments to scripts safely, ensuring they are treated as data rather than executable commands.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L"
},
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
}
],
"affected": [
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
"package": {
"ecosystem": "Maven",
"name": "PublicCMS"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "N/A"
}
]
}
]
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
Expand All @@ -36,7 +53,7 @@
"url": "https://github.com/sanluan/PublicCMS/commit/7329437e1288540336b1c66c114ed3363adcba02"
},
{
"type": "WEB",
"type": "PACKAGE",
"url": "https://github.com/sanluan/PublicCMS"
},
{
Expand All @@ -54,9 +71,9 @@
],
"database_specific": {
"cwe_ids": [
"CWE-266"
"CWE-78"
],
"severity": "LOW",
"severity": "HIGH",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-06T08:15:54Z"
Expand Down