Vulnerability in JumpScale Portal 7 (CVE-2018–1000666)
In method notifySpaceModification we can send any text in the owner field that will be added to the command cmd=”cd /opt/code/%s/%s;hg pull;hg update -C”%(owner,name) and executed after string formatting.
Using ;{cmd}# as an owner field value we can execute any command on server.
It was fixed by removing deprecated methods: https://github.com/jumpscale7/jumpscale_portal/pull/108
You can see reverse shell example with payload on git: https://github.com/0-complexity/openvcloud/issues/1207
