mirror of
https://github.com/0x5t4l1n/CVE.git
synced 2026-05-26 11:25:49 +00:00
Stalin
35 lines
848 B
Markdown
35 lines
848 B
Markdown
|
|
|
|
# CVE-2026-48098 — Unsafe Use of sudo and shell=True in NexTOR IP Changer
|
|
|
|
**Severity:** High
|
|
**CWE:** CWE-78, CWE-250
|
|
|
|
## Summary
|
|
|
|
NexTOR IP Changer executes privileged system commands using `sudo` and `shell=True` directly inside application logic. In environments where passwordless sudo (`NOPASSWD`) is enabled, privileged commands may execute silently without explicit user confirmation.
|
|
|
|
## Impact
|
|
|
|
* Privileged command execution
|
|
* Potential command injection risks
|
|
* Unauthorized system-level modifications
|
|
* Elevated impact in misconfigured sudo environments
|
|
|
|
## Affected
|
|
|
|
1.0.0-1
|
|
|
|
## Fixed
|
|
|
|
v2.0.0
|
|
|
|
## References
|
|
|
|
* https://github.com/advisories/GHSA-fpxg-q9p5-5wvm
|
|
* https://github.com/0x5t4l1n/NexTOR_IP_CHANGER/releases/tag/v2.0.0
|
|
|
|
## Credits
|
|
|
|
Remediation Developer: 0x5t4l1n
|