A significant security vulnerability has been identified within the FOG Project open-source computer cloning and imaging solution. Specifically, a critical flaw exists in the export.php script. This vulnerability is classified as an unauthenticated command injection.
What this means is that an attacker can potentially execute arbitrary operating system commands on the server hosting the FOG Project instance without needing any login credentials. The vulnerability arises from insufficient sanitization or handling of user-supplied input processed by the export.php script. By crafting malicious input, an attacker can inject and execute shell commands, leading to remote code execution.
The impact of such a flaw is severe. Successful exploitation could allow an attacker to compromise the server entirely, gain access to sensitive data, install malware, or disrupt operations. Because the vulnerability is unauthenticated, it is particularly dangerous as it exposes FOG Project installations directly to external attackers. Users of FOG Project should be aware of this critical flaw and understand the potential risks associated with this command injection vulnerability.
Source: https://www.offsec.com/blog/cve-2024-39914/
