Full title: Froxlor 2.0.6 Remote Command Execution Exploit 
Category: remote exploits
Platform: linux
Froxlor versions 2.0.6 and below suffer from a bug that allows authenticated users to change the application logs path to any directory on the OS level which the user www-data can write without restrictions from the backend which leads to writing a malicious Twig template that the application will render. That leads to remote command execution under the user www-data.

# 0day.today @ http://0day.today/