A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted input.
The execute_command function in version 0.1.7 does not properly filter or validate user-supplied input data. An attacker can craft a properly malicious payload and pass it to this function, resulting in embedding and execution of arbitrary system commands in the application context. The attack vector is network-based, requires no authentication or user interaction, and the scope of the vulnerability extends beyond the component where the error occurred (Scope: Changed).
An attacker can gain full control over the operating system on which the application runs — read, modify and delete data, install malicious software, and move laterally across the network. Confidentiality, integrity, and availability of the system are compromised at the highest level.
Patches available from the manufacturer should be applied in accordance with the references. Until a fix is available, it is recommended to disable or network-isolate the component using the execute_command function and restrict access to the service only to trusted hosts.
Gongrzhe terminal-controller-mcp version 0.1.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HGongrzhe Terminal Controller Mcp
APPGongrzhe0.1.7