High severity8.8NVD Advisory· Published Jan 24, 2022· Updated Jun 17, 2026
CVE-2021-44981
CVE-2021-44981
Description
In QuickBox Pro v2.5.8 and below, the config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible. Additionally, as the media server is running as root by default attackers can use the sudo command within this shell_exec(''); function, which allows for privilege escalation by means of RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- QuickBox Pro/QuickBox Prodescription
Patches
Vulnerability mechanics
References
2- websec.nl/blog/61b2b37a43a1155c848f3b08/websec%20finds%20critical%20vulnerabilities%20in%20popular%20media%20servernvdExploitThird Party Advisory
- github.com/QuickBox/QB/issues/202nvdIssue TrackingThird Party Advisory
News mentions
0No linked articles in our index yet.