CVE-2022-45182

Vulnerability

Pi-Star DV Dashboard (Pi-Star_DV_Dash) versions prior to commit 5aa194d mishandle the Module parameter. The issue is in the link_manager.php file, where the Module parameter from $_POST["Module"] is not properly validated before being used. Specifically, the code does not sanitize the input for allowed characters or length when the link action is set to "UNLINK" [1][3]. This can lead to the module parameter being processed with arbitrary content, potentially bypassing earlier sanitization checks that are only applied in the non-UNLINK case [3].

Exploitation

An attacker needs network access to the Pi-Star DV Dashboard web interface and the ability to send HTTP POST requests. The attacker can craft a POST request to the link manager endpoint with the Link parameter set to "UNLINK" and provide a malicious Module parameter. Under the vulnerable code path, the Module parameter is assigned directly from $_POST["Module"] without sanitization (e.g., via substr and preg_replace) as seen in the commit fix [3][4]. This means an attacker can inject arbitrary strings, including special characters, into the module processing logic.

Impact

Successful exploitation could lead to unexpected behavior in the DV Dashboard, including potential injection of control characters or malformed data into subsequent processing steps. The exact impact depends on how the unsanitized module value is used downstream; however, the original security issue report suggests it could enable command injection or other malicious actions [1]. The attacker could potentially disrupt normal operation of the Pi-Star system, cause denial of service, or gain unauthorized control over certain functions, although specific details of the full exploitation chain were not disclosed.

Mitigation

The vulnerability was fixed in commit 5aa194d [1]. The fix ensures that the Module parameter is properly sanitized in the UNLINK code path as well, by applying the same length truncation (substr) and character whitelisting (preg_replace) that were already present in the non-UNLINK case [3][4]. Users should update their Pi-Star DV Dashboard to the latest version that includes this commit. There is no known workaround other than applying the patch. The CVE is not listed in the known exploited vulnerabilities (KEV) catalog.