PowerD command parameter validation and escaping
The powerd parameters
powerd_normal_mode are not validated against the list of expected mode strings in
/usr/local/www/system_advanced_misc.php. They are also not escaped before use when invoking the
powerd command inside
This can lead to an authenticated command injection for users with access to that page.
Updated by Anonymous almost 3 years ago
Could recreate the behavior on 2.4.4. On 2.4.5.a.20181102.0213, could not reproduce the behavior, received
The following input errors were detected: Invalid Battery Power mode.
after modifying the value of Battery Power mode and clicking Save.