Remote Code Execution (RCE) vulnerability in super-xray via URL input

Vulnerability

The vulnerability is a command injection in super-xray version 0.1-beta. The URL input is not filtered and is directly concatenated into a command string that is executed via cmd.exe or shell. The code in initActiveScan() builds a command using xrayCmd.buildCmd() and passes it to execAndFresh(), which calls ExecUtil.execCmdGetStream() to run the command. The URL parameter is not sanitized, allowing an attacker to inject arbitrary commands. [1]

Exploitation

An attacker needs local access to the system running super-xray and must have high privileges (e.g., ability to launch the GUI and interact with it). The user must click the "active scan" button after entering a malicious URL. The injected commands are executed with the privileges of the super-xray process. No network position is required beyond local access. [1]

Impact

Successful exploitation allows arbitrary command execution (RCE) on the host system. The attacker gains full control over the application's privileges, leading to high confidentiality, integrity, and availability impact. [1]

Mitigation

The vulnerability is fixed in super-xray version 0.2-beta. Users should upgrade immediately. No workarounds are provided. The advisory does not list this CVE in CISA's KEV. [1][2]