CVE-2023-30258: 
MagnusSolution MagnusBilling vulnerability analysis and mitigation

Command Injection vulnerability in MagnusSolution magnusbilling versions 6.x and 7.x allows remote attackers to execute arbitrary commands via unauthenticated HTTP requests. The vulnerability was discovered and reported on March 27, 2023, and was assigned CVE-2023-30258 on June 26, 2023. The affected software versions include MagnusBilling from version 6.0.0 up to and including version 7.3.0 (Advisory, NVD).

The vulnerability exists in the lib/icepay/icepay.php file, specifically at line 753, where a demonstration code contains an unsafe exec() call. The vulnerability stems from insufficient sanitization of user-supplied inputs in the GET parameter 'democ', which is directly passed to the exec() function. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD, Advisory).

An unauthenticated attacker can execute arbitrary OS commands with the privileges of the web server process (typically www-data or asterisk). At minimum, this allows attackers to compromise the billing system and its database. The vulnerability can be exploited remotely without any authentication requirements (Advisory, AttackerKB).

The vulnerability has been patched by removing the demo code from icepay.php. Organizations should upgrade to the latest version of MagnusBilling that includes the fix, which was implemented in commit ccff9f6370f530cc41ef7de2e31d7590a0fdb8c3 (GitHub, Advisory).