zelon88/HRConvert2 v3.3.8

HRConvert2 v3.3.8

on GitHub

-v3.3.8.
-This commit is a response to Github Security Advisory GHSA-f74g-4wj8-j35h submitted by Github user KhaelK138.
-You can read the original security advisory at GHSA-f74g-4wj8-j35h.
-KhaelK138 reported this issue via the official Github repository on April 22nd 2026.
-KhaelK138 sent me (zelon88) an email on May 3rd 2026 to follow up.
-I verified that the reported vulnerabilities exist.
-I have implemented KhaelK138's suggested fixes.
-I have requested a CVE for this vulnerability from Github.
-The vulnerability potentially allows remote attackers to achieve remote code execution on the HRConvert2 server via two different methods;
-Method 1: Attackers could potentially leverage the backtick character to inject arbitrary commands that execute in the context of the www-data user.
-Method 2: Attackers could potentially leverage the tab character to drop files remotely into hosted locations on the server.
-The severity of these vulnerabilities could result in a complete hostile takeover of the server by a remote attacker.
-The vulnerability impacts all versions of HRConvert2 prior to v3.3.8.
-It is HIGHLY RECCOMENDED that all versions of HRConvert2 prior to v3.3.8 be updated to v3.3.8 immediately.
-You can verify the version of your HRConvert2 installation by navigating to your HRConvert2 installation directory (usually /var/www/html/HRProprietary/HRConvert2) and opening the Documentation/CHANGELOG.txt file with a text editor. The version information is contained in the top header section of this file.