Vfs
Monthly
OS command injection in the Horde_Vfs_Smb driver of the Horde Virtual File System (VFS) API before 3.0.1 lets authenticated users execute arbitrary shell commands on the server. The flawed _escapeShellCommand() method fails to neutralize shell command-substitution sequences, so attacker-controlled filenames passed through routine file operations are interpolated into a double-quoted /bin/sh -c context and executed via proc_open() before smbclient runs. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch (v3.0.1) exists and the CVSS 4.0 base score is 7.7 (High).
OS command injection in the Horde_Vfs_Smb driver of the Horde Virtual File System (VFS) API before 3.0.1 lets authenticated users execute arbitrary shell commands on the server. The flawed _escapeShellCommand() method fails to neutralize shell command-substitution sequences, so attacker-controlled filenames passed through routine file operations are interpolated into a double-quoted /bin/sh -c context and executed via proc_open() before smbclient runs. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch (v3.0.1) exists and the CVSS 4.0 base score is 7.7 (High).