Termix
Monthly
Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitrary shell commands on remote SSH-managed hosts via the File Manager's resolvePath endpoint. The flaw stems from incomplete shell escaping that only handles double quotes while leaving command substitution syntax interpretable. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-v26q-rpv5-9m72) and CVSS 9.0 rating signal high impact across confidentiality, integrity, and availability of downstream SSH targets.
Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account password to disable TOTP or regenerate backup codes via the POST /users/totp/disable and POST /users/totp/backup-codes endpoints, completely neutralizing the second factor. The flaw stems from these MFA-critical endpoints accepting the account password as the sole authentication factor, meaning credential stuffing, phishing, or a leaked password hash (referenced as GHSA-xxxx) is sufficient to defeat 2FA. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated attackers to execute arbitrary commands on the source SSH host via the POST /ssh/tunnel/connect endpoint. The flaw stems from user-controlled host record fields being interpolated directly into shell commands without escaping, yielding persistent code execution. No public exploit identified at time of analysis, but a vendor-released patch is available in version 2.3.2.
Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an authenticated low-privileged user to hijack another user's active File Manager session by tampering with a client-supplied sessionId, gaining full read/write/execute access to that victim's remote VPS over their established SSH connection. The CVSS 9.0 score reflects scope change (the compromised session crosses the trust boundary into the victim's separate VPS) and high impact across CIA. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the trivial nature of incrementing/guessing an unvalidated identifier makes exploitation straightforward once a foothold account exists.
Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticated user with an active File Manager SSH session to execute arbitrary OS commands on the connected remote host via the GET /ssh/file_manager/ssh/resolvePath endpoint. The vulnerability stems from improper shell escaping that fails to neutralize $(...) and backtick command substitution, yielding a CVSS 9.9 critical rating with scope change. No public exploit identified at time of analysis, but the vendor advisory (GHSA-37f4-wq95-pg33) provides sufficient technical detail to develop one trivially.
Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control another user's connected SSH host via predictable session identifiers. Sixteen file-manager endpoints fail to verify ownership of the `sessionId` parameter, enabling read, write, delete, download, and execute operations on victim hosts. No public exploit identified at time of analysis, but the multi-tenant deployment model and low attack complexity make this a high-priority issue for shared installations.
Machine-in-the-middle interception of HTTPS traffic in Termix Desktop (Electron) starting at version 1.7.0 allows attackers positioned on the network path to steal login credentials and JWT/session tokens because the Electron client disables TLS certificate validation entirely. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the CVSS 8.0 rating with scope-change and the absence of any vendor-released patch make this a meaningful concern for any user running Termix Desktop on untrusted networks.
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, the extractArchive and compressFiles endpoints in file-manager.ts use double-quoted strings for shell command construction, unlike all other file manager operations which use single-quote escaping. Double quotes allow $(command) substitution, enabling command injection on the remote SSH host. This issue has been patched in version 2.1.0.
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a temporary JWT (temp_token) for TOTP-enabled accounts. That token carries a pendingTOTP state and should only be valid for the second-factor flow. However, the auth middleware accepts this token on regular authenticated endpoints. This effectively turns 2FA into single-factor (password) for impacted accounts. This issue has been patched in version 2.1.0.
Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary JavaScript by uploading malicious SVG files that bypass content sanitization. When a Termix user previews the crafted file, the payload executes within the application context with full access to sensitive operations. Public exploit code exists and no patch is currently available.
Docker default credentials in Termix server management. PoC and patch available.
Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitrary shell commands on remote SSH-managed hosts via the File Manager's resolvePath endpoint. The flaw stems from incomplete shell escaping that only handles double quotes while leaving command substitution syntax interpretable. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-v26q-rpv5-9m72) and CVSS 9.0 rating signal high impact across confidentiality, integrity, and availability of downstream SSH targets.
Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account password to disable TOTP or regenerate backup codes via the POST /users/totp/disable and POST /users/totp/backup-codes endpoints, completely neutralizing the second factor. The flaw stems from these MFA-critical endpoints accepting the account password as the sole authentication factor, meaning credential stuffing, phishing, or a leaked password hash (referenced as GHSA-xxxx) is sufficient to defeat 2FA. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated attackers to execute arbitrary commands on the source SSH host via the POST /ssh/tunnel/connect endpoint. The flaw stems from user-controlled host record fields being interpolated directly into shell commands without escaping, yielding persistent code execution. No public exploit identified at time of analysis, but a vendor-released patch is available in version 2.3.2.
Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an authenticated low-privileged user to hijack another user's active File Manager session by tampering with a client-supplied sessionId, gaining full read/write/execute access to that victim's remote VPS over their established SSH connection. The CVSS 9.0 score reflects scope change (the compromised session crosses the trust boundary into the victim's separate VPS) and high impact across CIA. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the trivial nature of incrementing/guessing an unvalidated identifier makes exploitation straightforward once a foothold account exists.
Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticated user with an active File Manager SSH session to execute arbitrary OS commands on the connected remote host via the GET /ssh/file_manager/ssh/resolvePath endpoint. The vulnerability stems from improper shell escaping that fails to neutralize $(...) and backtick command substitution, yielding a CVSS 9.9 critical rating with scope change. No public exploit identified at time of analysis, but the vendor advisory (GHSA-37f4-wq95-pg33) provides sufficient technical detail to develop one trivially.
Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control another user's connected SSH host via predictable session identifiers. Sixteen file-manager endpoints fail to verify ownership of the `sessionId` parameter, enabling read, write, delete, download, and execute operations on victim hosts. No public exploit identified at time of analysis, but the multi-tenant deployment model and low attack complexity make this a high-priority issue for shared installations.
Machine-in-the-middle interception of HTTPS traffic in Termix Desktop (Electron) starting at version 1.7.0 allows attackers positioned on the network path to steal login credentials and JWT/session tokens because the Electron client disables TLS certificate validation entirely. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the CVSS 8.0 rating with scope-change and the absence of any vendor-released patch make this a meaningful concern for any user running Termix Desktop on untrusted networks.
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, the extractArchive and compressFiles endpoints in file-manager.ts use double-quoted strings for shell command construction, unlike all other file manager operations which use single-quote escaping. Double quotes allow $(command) substitution, enabling command injection on the remote SSH host. This issue has been patched in version 2.1.0.
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a temporary JWT (temp_token) for TOTP-enabled accounts. That token carries a pendingTOTP state and should only be valid for the second-factor flow. However, the auth middleware accepts this token on regular authenticated endpoints. This effectively turns 2FA into single-factor (password) for impacted accounts. This issue has been patched in version 2.1.0.
Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary JavaScript by uploading malicious SVG files that bypass content sanitization. When a Termix user previews the crafted file, the payload executes within the application context with full access to sensitive operations. Public exploit code exists and no patch is currently available.
Docker default credentials in Termix server management. PoC and patch available.