Home

Description

A security flaw has been discovered in Qualitor up to 8.20.104/8.24.97. Affected by this vulnerability is the function eval of the file /html/st/stdeslocamento/request/getResumo.php. Performing manipulation of the argument passageiros results in code injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. Upgrading to version 8.20.105 and 8.24.98 addresses this issue. Upgrading the affected component is advised.

PUBLISHED Reserved 2025-11-29 | Published 2025-11-30 | Updated 2025-12-01 | Assigner VulDB




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
HIGH: 7.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
7.5AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

Code Injection

Injection

Timeline

2025-11-29:Advisory disclosed
2025-11-29:VulDB entry created
2025-12-01:Countermeasure disclosed
2025-12-01:VulDB entry last update

Credits

matheuzsec (VulDB User) reporter

References

vuldb.com/?id.333796 (VDB-333796 | Qualitor getResumo.php eval code injection) vdb-entry technical-description

vuldb.com/?ctiid.333796 (VDB-333796 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.691251 (Submit #691251 | Qualitor Qualitor Web 8.20/8.24 Code Injection) third-party-advisory

www.youtube.com/watch?v=hU8YbFc6KpI exploit media-coverage

www.qualitor.com.br/...cial-security-advisory-cve-2025-13792 related

cve.org (CVE-2025-13792)

nvd.nist.gov (CVE-2025-13792)

Download JSON