Home

Description

A command injection vulnerability exists in GestioIP 3.0 commit ac67be and earlier in ip_checkhost.cgi. Crafted input to the 'ip' parameter allows attackers to execute arbitrary shell commands on the server via embedded base64-encoded payloads. Authentication may be required depending on deployment configuration.

PUBLISHED Reserved 2025-07-30 | Published 2025-07-31 | Updated 2026-05-15 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

Any version before 3.0 commit ac67be
affected

Credits

bperry finder

References

raw.githubusercontent.com/...its/multi/http/gestioip_exec.rb exploit

sourceforge.net/...ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/ patch

sourceforge.net/projects/gestioip/ product

www.vulncheck.com/advisories/gestioip-rce third-party-advisory

cve.org (CVE-2013-10039)

nvd.nist.gov (CVE-2013-10039)

Download JSON