Overview
A high-severity code injection vulnerability, identified as CVE-2025-13792, has been discovered in Qualitor versions 8.20 and 8.24. This vulnerability allows remote attackers to inject arbitrary code via the passageiros argument in the getResumo.php file within the /html/st/stdeslocamento/request/ directory. The exploit is publicly available and actively being exploited. The vendor was contacted but has not responded to the disclosure.
Technical Details
The vulnerability resides in the eval function within /html/st/stdeslocamento/request/getResumo.php. By manipulating the passageiros argument, an attacker can inject and execute arbitrary code on the server. This occurs because the input isn’t properly sanitized or validated before being passed to the eval function.
Example Attack Vector (Illustrative – Specific Payload Details Vary):
A specially crafted request to /html/st/stdeslocamento/request/getResumo.php with a malicious payload within the passageiros parameter would trigger the vulnerability.
CVSS Analysis
- CVSS Score: 7.3 (HIGH)
- Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
This CVSS score indicates a high-severity vulnerability due to its remote exploitability, low attack complexity, no required privileges, and no user interaction. Successful exploitation allows for complete compromise of confidentiality and integrity. Availability is not directly affected based on the CVSS vector.
Possible Impact
Successful exploitation of CVE-2025-13792 can lead to severe consequences, including:
- Remote Code Execution (RCE): Attackers can execute arbitrary commands on the server, potentially gaining full control.
- Data Breach: Sensitive data stored on the server can be accessed and exfiltrated.
- System Compromise: The entire Qualitor system, and potentially other systems on the same network, can be compromised.
- Denial of Service (DoS): Although the CVSS score doesn’t directly specify it, a successful exploit could indirectly lead to a denial of service if the attacker leverages the exploit to disrupt system operations.
Mitigation or Patch Steps
Unfortunately, the vendor has not provided a patch or mitigation steps as of the publication date. Therefore, the following temporary mitigation strategies are recommended:
- Web Application Firewall (WAF): Implement a WAF with rules to detect and block attempts to exploit this vulnerability by filtering malicious input to the
passageirosparameter. - Input Validation: If possible, implement strict input validation and sanitization for the
passageirosparameter to prevent code injection. This ideally requires modifying the Qualitor application code, which may be difficult without vendor support. - Network Segmentation: Isolate the Qualitor system from other critical systems on the network to limit the potential impact of a successful attack.
- Monitor for Suspicious Activity: Closely monitor system logs and network traffic for any signs of exploitation attempts.
- Consider Alternatives: If feasible, consider migrating to a different solution, particularly if the vendor remains unresponsive.
Important: These are temporary workarounds. A proper patch from the vendor is the only definitive solution. Continue to monitor for vendor updates.
