vendor:
LiteSpeed Web Server Enterprise
by:
cmOs - SunCSR
N/A
CVSS
HIGH
Command Injection
78
CWE
Product Name: LiteSpeed Web Server Enterprise
Affected Version From: 5.4.11
Affected Version To: 5.4.11
Patch Exists: NO
Related CWE:
CPE: a:litespeed_technologies:litespeed_web_server_enterprise:5.4.11
Platforms Tested: Ubuntu, Kali Linux
2021
LiteSpeed Web Server Enterprise 5.4.11 – Command Injection (Authenticated)
The LiteSpeed Web Server Enterprise version 5.4.11 is vulnerable to command injection. An authenticated attacker can exploit this vulnerability to execute arbitrary commands on the server. The vulnerability exists in the 'Server Configuration > Server > External App > Edit' section, where the 'Command' value is not properly sanitized. By injecting a malicious payload, an attacker can execute arbitrary commands with the privileges of the server.
Mitigation:
To mitigate this vulnerability, it is recommended to update to a patched version of LiteSpeed Web Server Enterprise. Additionally, restrict access to the dashboard and ensure strong authentication measures are in place.