{
  "claim_outcome": "confirmed",
  "claim_block_reason": null,
  "repro_result": "confirmed",
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "code_execution",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "multipart POST to SmallPartMediaRecorder::ajax_upload: JSON 'data' field with course_id as an array containing participants[0].participant_role=3 (authz bypass) plus video_hash path-traversal ('../../../../../../../../../../../../usr/share/egroupware/header.inc' with video_type='php'); uploaded 'file' field = attacker PHP payload",
  "trigger_path": "POST /egroupware/json.php?menuaction=EGroupware\\SmallParT\\Widgets\\SmallPartMediaRecorder::ajax_upload (nginx -> php-fpm) -> isTeacher() bypass via request-supplied participants/role -> videoPath() path traversal in video_hash -> copy() writes attacker PHP to /usr/share/egroupware/header.inc.php (symlink -> /var/lib/egroupware/header.inc.php) -> injected header executes on next HTTP request after OPcache clear (restart)",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": true,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": null,
  "inferred": false
}
