Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /ssh/tunnel/connect` endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields (`endpointIP`, `endpointUsername`, `password`) directly into a shell command without escaping, allowing persistent OS command injection on the source SSH host. Version 2.3.2 patches the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTermix
APPTermix2.1.0 – 2.3.2 (bez)
Related vulnerabilities
Termix: OS command injection w endpointcie resolvePath (RCE)
Command injection w Termix File Manager via parametr path (GET resolvePath)
Broken Access Control w Termix — nieautoryzowany dostęp do sesji File Manager
Termix: nieautoryzowany dostęp do danych SSH przez błędne wykrywanie IP
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. ...