SOY CMS version 3.14.2 is vulnerable to an OS Command Injection vulnerability within its file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality.
Impact: Arbitrary OS command execution via file upload
・Attack vector: Requires administrator login.
・Components affected: File upload functionality.
・Tested SOY CMS Version: 3.14.2
・Affected SOY CMS Version: < 3.14.2
Found by takuto.tanda in GMO Cybersecurity by Ierae, Inc.
SOY CMS version 3.14.2 is vulnerable to an OS Command Injection vulnerability within its file upload feature when accessed by an administrator. The vulnerability enables the execution of arbitrary OS commands through specially crafted file names containing a semicolon, affecting the jpegoptim functionality.
Impact: Arbitrary OS command execution via file upload
・Attack vector: Requires administrator login.
・Components affected: File upload functionality.
・Tested SOY CMS Version: 3.14.2
・Affected SOY CMS Version: < 3.14.2
Found by takuto.tanda in GMO Cybersecurity by Ierae, Inc.