Posted by Calum Hutton on May 19

Clickheat 1.13+ Unauthenticated RCE
———————————–

The Clickheat developers have been informed, but have not responded to my email. The code has not been updated recently
and the project seems to be in an abandoned state.

I have discovered a vulnerability in Clickheat 1.13 onwards that would allow an attacker to execute arbitrary commands
on the remote webserver, in the context of the user running the webserver, without…