NeDi 1.9C Authenticated PHP Code Injection in System Files Function

NeDi 1.9C Authenticated PHP Code Injection in System Files Function

CVE-2021-26753 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data.

Learn more about our User Device Pen Test.