In QuickBox Community Edition up to and including 2.5.5 and Pro Edition up to and including 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an malicious user to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
quickbox quickbox |