Dogfood CRM version 2.0.10 contains a remote command execution vulnerability in the spell.php script used by its mail subsystem. The vulnerability arises from unsanitized user input passed via a POST request to the data parameter, which is processed by the underlying shell without adequate escaping. This allows attackers to inject arbitrary shell commands and execute them on the server. The flaw is exploitable without authentication and was discovered by researcher LSO.
Security readout for executives and security teams
Plain-English summary
Dogfood CRM 2.0.10 is reported to allow unauthenticated remote command execution through its mail spell-check script. If exposed, an attacker could run operating-system commands on the server. The product appears legacy, so exposure may be rare, but any reachable instance should be treated as urgent.
Executive priority
Treat confirmed exposed instances as emergency remediation work. The business risk is full server compromise, even if the affected software is uncommon or legacy.
Technical view
The flaw is described as CWE-78 command injection in spell.php, where POST data is passed to a shell without adequate escaping. CVSS 4.0 is 9.3 critical. Source metadata conflicts on affected versions, so validate by product, version, and script presence rather than relying only on CPE data.
Likely exposure
Likely limited to legacy Dogfood CRM deployments, especially internet-facing systems with the mail spell.php path reachable. The bundle does not establish broad current deployment prevalence.
Exploitation context
The bundle cites public exploit references from Exploit-DB and Metasploit, so proof-of-concept or weaponized material exists. KEV is false, and the provided sources do not prove active exploitation in the wild.
Researcher notes
Avoid overclaiming scope: the description names Dogfood CRM 2.0.10, while affected metadata lists version 0 with default unaffected. Public exploit references support exploitability, but not active exploitation.
Mitigation direction
Inventory systems for Dogfood CRM 2.0.10 and the spell.php mail component.
Remove, disable, or isolate the vulnerable spell.php path where found.
Restrict external access to any remaining Dogfood CRM instance immediately.
Check vendor or maintainer guidance before assuming a patch exists.
Use IPS or WAF coverage only as defense-in-depth, not as the primary fix.
Validation and detection
Confirm product name, deployed version, and whether spell.php exists.
Review web server logs for suspicious POST requests to spell.php.
Check whether the CRM is reachable from the internet or untrusted networks.
Verify compensating controls block unauthenticated access to the affected path.
Document any version uncertainty caused by conflicting CVE affected metadata.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-78: Command execution behavior lookup
Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
6Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-78 · source CWE mapping
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.