Elecv2P
Monthly
Server-Side Request Forgery (SSRF) in elecV2P versions up to 3.8.3 allows unauthenticated remote attackers to manipulate internal or external HTTP requests via the eAxios function in the /mock URL handler. The vulnerability enables unauthorized access to internal resources, data exfiltration from confidential endpoints, and potential lateral movement within internal networks. Publicly available exploit code exists (GitHub issue #202), significantly lowering the barrier to exploitation. EPSS data not provided, but the combination of network-accessible attack vector, low complexity, no authentication requirement, and public POC represents elevated real-world risk. Vendor has not responded to early disclosure.
Reflected cross-site scripting (XSS) in elecV2P up to version 3.8.3 allows remote attackers to inject malicious scripts via the filename parameter in the /logs endpoint, requiring user interaction to execute. The vulnerability has publicly available exploit code and affects all versions through 3.8.3, with no vendor patch released despite early notification through issue reporting.
Path traversal in elecV2P's wildcard handler allows unauthenticated remote attackers to read files outside intended directories via improper path validation in the /log/ endpoint, affecting versions up to 3.8.3. The vulnerability has a publicly available proof of concept and a CVSS score of 5.5 reflecting limited confidentiality impact. The vendor has not responded to early disclosure despite issue notification.
Path traversal in elecV2P up to version 3.8.3 allows unauthenticated remote attackers to read arbitrary files via manipulation of the URL argument in the /store/:key endpoint's path.join function. The vulnerability has a CVSS score of 5.5 with low confidentiality impact, publicly available exploit code exists, and the vendor has not responded to early notification through an issue report.
Operating system command injection in elecV2P up to version 3.8.3 allows unauthenticated remote attackers to execute arbitrary commands through the pm2run function in the /rpc endpoint. The vulnerability has a CVSS score of 6.9 with publicly available exploit code, though the vendor has not yet responded to early notification of the issue. This represents a moderate-to-high risk for exposed elecV2P instances due to the combination of remote exploitability, low attack complexity, and confirmed public exploit availability.
Remote code execution in elecV2P up to version 3.8.3 allows authenticated attackers to inject arbitrary code via manipulation of the rawcode argument in the runJSFile function of the /webhook JSON Parser endpoint. The vulnerability has publicly available exploit code and the vendor has not yet responded to early disclosure notifications, making this an active security concern for deployed instances.
Server-Side Request Forgery (SSRF) in elecV2P versions up to 3.8.3 allows unauthenticated remote attackers to manipulate internal or external HTTP requests via the eAxios function in the /mock URL handler. The vulnerability enables unauthorized access to internal resources, data exfiltration from confidential endpoints, and potential lateral movement within internal networks. Publicly available exploit code exists (GitHub issue #202), significantly lowering the barrier to exploitation. EPSS data not provided, but the combination of network-accessible attack vector, low complexity, no authentication requirement, and public POC represents elevated real-world risk. Vendor has not responded to early disclosure.
Reflected cross-site scripting (XSS) in elecV2P up to version 3.8.3 allows remote attackers to inject malicious scripts via the filename parameter in the /logs endpoint, requiring user interaction to execute. The vulnerability has publicly available exploit code and affects all versions through 3.8.3, with no vendor patch released despite early notification through issue reporting.
Path traversal in elecV2P's wildcard handler allows unauthenticated remote attackers to read files outside intended directories via improper path validation in the /log/ endpoint, affecting versions up to 3.8.3. The vulnerability has a publicly available proof of concept and a CVSS score of 5.5 reflecting limited confidentiality impact. The vendor has not responded to early disclosure despite issue notification.
Path traversal in elecV2P up to version 3.8.3 allows unauthenticated remote attackers to read arbitrary files via manipulation of the URL argument in the /store/:key endpoint's path.join function. The vulnerability has a CVSS score of 5.5 with low confidentiality impact, publicly available exploit code exists, and the vendor has not responded to early notification through an issue report.
Operating system command injection in elecV2P up to version 3.8.3 allows unauthenticated remote attackers to execute arbitrary commands through the pm2run function in the /rpc endpoint. The vulnerability has a CVSS score of 6.9 with publicly available exploit code, though the vendor has not yet responded to early notification of the issue. This represents a moderate-to-high risk for exposed elecV2P instances due to the combination of remote exploitability, low attack complexity, and confirmed public exploit availability.
Remote code execution in elecV2P up to version 3.8.3 allows authenticated attackers to inject arbitrary code via manipulation of the rawcode argument in the runJSFile function of the /webhook JSON Parser endpoint. The vulnerability has publicly available exploit code and the vendor has not yet responded to early disclosure notifications, making this an active security concern for deployed instances.