漏洞描述
SIM 项目的 /api/function/execute 接口允许可控输入 code 参数被传入后直接在服务器端执行,导致远程任意代码执行(RCE),攻击者无需认证即可通过构造恶意 JSON 请求触发该接口执行任意命令
SIM /api/function/execute 代码执行漏洞
PoC代码
暂无相关漏洞推荐
- Code-Projects Simple Scheduling System SQL注入漏洞
- Code-Projects Simple Scheduling System SQL注入漏洞
- Code-Projects Simple Scheduling System SQL注入漏洞
- Sim Studio AI 服务端请求伪造漏洞(CVE-2025-9805)
- POC CVE-2008-2650: CMSimple 3.1 - Local File Inclusion
- POC CVE-2010-2122: Joomla! Component simpledownload <=0.9.5 - Arbitrary File Retrieval
- POC CVE-2014-2908: Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting
- POC CVE-2014-8676: Simple Online Planning Tool <1.3.2 - Local File Inclusion
- POC CVE-2015-1000010: WordPress Simple Image Manipulator < 1.0 - Local File Inclusion
- POC CVE-2016-1000149: WordPress Simpel Reserveren <=3.5.2 - Cross-Site Scripting
- POC CVE-2019-20183: Simple Employee Records System 1.0 - Unrestricted File Upload
- POC CVE-2019-9915: GetSimple CMS 3.3.13 - Open Redirect
- POC CVE-2020-35749: WordPress Simple Job Board <2.9.4 - Local File Inclusion