Vulnerability Title: Command Injection
Author: Erick Duarte
Version: < 3.2.5-2

The vulnerability occurs when using the Task Manager module in conjunction with Cron Profile. To exploit this vulnerability, we need to place a script in a specific folder within the OS. The folder is "/var/lib/vitalpbx/scripts".

So, out of curiosity, I began analyzing what was being sent to the server using Burp. To do this, I created a Cron Profile to execute every minute.

Next, I proceeded to create the Task Manager.

In the script field, I noticed that it passed the filename. So, I decided to insert a base64-encoded reverse shell payload (just to avoid errors with special characters) and sent it.

Then, I sent the POST request just to apply the settings.

And there it is, we got the shell.

I understand that a relatively high level of privilege is necessary, and it also depends on having a script in the specific directory. In VitalPBX, it is possible to create multiple users and grant various types of permissions. What would happen if these permissions were misconfigured? Additionally, there is the option to create a Tenant. If one of these Tenants manages to exploit this vulnerability, they could potentially gain full access to the server, including other Tenants.

I hope that my findings contribute to the security community, and I trust that VitalPBX will make the necessary corrections.