CVE-2022-41437 Billing System Project v1.0 had a remote code execution vulnerability in the createProduct.php component.

This can be leveraged to install a custom PHP script onto the system via a remote attacker. An attacker can leverage this RCE vulnerability to install any malicious PHP script onto a system.

This can be exploited by malicious administrators to install a malicious PHP script onto a system. This malicious PHP script can be used to perform various functions, such as: steal sensitive data, perform injection attacks, etc.

The following is a list of software that could be exploited by this exploit.

Apache Tomcat / v1.4.1 - v1.5.0

Nginx / 1.10.3 - 1.10.5

Redis / 3.2.8 - 3.2.12

Redis Cluster / 3.2.8 - 3.2.12

Redis exception handling / 3.2.8 - 3.2.12

Redis LUA scripting / 3.2.8 - 3.2.12

Redis key-value / 3.2.8 - 3.2.12

Redis persistence / 3.2.8 - 3.2.12

Redis replication / 3.2.8 - 3.2.12
Redis sha1 hashing / 3.2.8 - 3.2.12

Redis slave selection / 3.2.8 - 3.2.12

Redis signing /

Installation

The following is a list of software that can be installed using this exploit.

Apache Tomcat / v1.4.1 - v1.5.0

Nginx / 1.10.3 - 1.10.5

Redis / 3.2.8 - 3.2.12

Sensitive Data Exposure

The following are some of the data elements that could be exposed by this exploit:

memory_limit, max_execution_time, max_input_time, pid, timeout.

Timeline

Published on: 09/30/2022 15:15:00 UTC
Last modified on: 10/04/2022 16:38:00 UTC

References