CVE Details
Basic Information
| Title | Vaelsys vgrid_server.php execute_DataObjectProc os command injection |
|---|---|
| Type | cve |
| Published | 2025-07-28T05:32:04.923Z |
| Modified | 2025-07-28T05:32:04.923Z |
Product Information
| Vendor | n/a |
|---|---|
| Product | Vaelsys |
| Version | 4.1.0 |
CVSS Information
| Base Score | 6.9 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
AI Analysis
| AI Description | A critical vulnerability in Vaelsys 4.1.0 allows remote attackers to inject OS commands via the xajaxargs argument in the execute_DataObjectProc function. This could lead to remote code execution, and the exploit is publicly available. The vendor has not responded to the disclosure. |
|---|---|
| AI Severity | Medium |
| AI Vendor | Unknown |
| AI Product | Vaelsys |
| AI Version | 4.1.0 |
Affected Products
- n/a Vaelsys 4.1.0
Additional Information
| CWE List | CWE-78, CWE-77 |
|---|---|
| Source | VulDB |
Description
A vulnerability, which was classified as critical, was found in Vaelsys 4.1.0. This affects the function execute_DataObjectProc of the file /grid/vgrid_server.php. The manipulation of the argument xajaxargs leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.