0days

Lucy Security Awareness Platform Remote Code Execution <= 4.7.x (CVE-2021-28132)

I identified multiple vulnerabilities of Lucy Security’s Awareness product. An unauthenticated user can execute an operating system command under the context of the web server user which is www-data after successfully forcing low privileged user (create/delete Campaign enabled users, admin and etc.) to visit the link that contains payload created by the least privileged user (view permission).