Authored by Valentin Lobstein

Vinchin Backup and Recovery versions 7.2 and below suffer from a command injection vulnerability in the setNetworkCardInfo function.

advisories | CVE-2024-22900

CVE ID: CVE-2024-22900

Title: Command Injection Vulnerability in Vinchin Backup and Recovery Versions 7.2 and Earlier

A critical security vulnerability, identified as CVE-2024-22900, has been discovered in Vinchin Backup and Recovery software, affecting versions 7.2 and earlier. The vulnerability is present in the `setNetworkCardInfo` function, which is intended to update network card information.

1. The function collects the `NAME` parameter from the user request and assigns it to a variable `$name`.
2. The `NAME` parameter value is then used to construct a file path in the `setNetworkCardInfo` function, leading to potential command injection.
3. The vulnerability arises from the use of user-supplied input in system commands without proper validation and sanitization.

This vulnerability allows an attacker to inject arbitrary commands via the `NAME` parameter, potentially leading to unauthorized access or control over the affected system.

Current Status:
As of the current date, there is no known patch available for this vulnerability. Users of Vinchin Backup and Recovery versions 7.2 and earlier are at risk.

It is strongly recommended that users of the affected software versions remain vigilant and monitor Vinchin's updates for a security patch. Upon release of a patch, users should prioritize updating their systems to mitigate this security risk.

Signed,Valentin Lobstein