Arbitrary code execution through admin settings

Jun 21, 2021

  • Risk: medium
  • CVSS v3 Base Score: 6.6
  • CVSS v3 Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
  • CWE ID: CWE-78
  • CWE Name: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  • CVE: CVE-2021-33827


In the administration settings of the files_antivirus app it was possible to execute arbitrary code.


  • files_antivirus < v1.0.0

Action taken

Moved the specific settings to the config.php file and removed them from the web ui.