code610

2 exploits Active since Jan 2018
CVE-2019-25671 EXPLOITDB HIGH python WORKING POC
VA MAX 8.3.4 Remote Code Execution via changeip.php
VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu_eth0 parameter. Attackers can send POST requests to the changeip.php endpoint with malicious payload in the mtu_eth0 field to execute commands as the apache user.
CVSS 8.8
CVE-2018-6393 WRITEUP HIGH WORKING POC
FreePBX 10.13.66-32bit and 14.0.1.24 - Authenticated SQL Injection via Order Parameter
FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow post-authentication SQL injection via the order parameter. NOTE: the vendor disputes this issue because it is intentional that a user can "directly modify SQL tables ... [or] run shell scripts ... once ... logged in to the administration interface; there is no need to try to find input validation errors.
CVSS 7.2