OTMS remote code execution
I have discovered a vulnerability in OpenTouch Multimedia Services, making it possible for an attacker with administration rights to execute code on the server via web requests with high privileges.
Description of the vulnerability
Cgi script vmconstruct.cgi is vulnerable to shell command injection attacks through HTTP POST request. An attacker with an OT administrator cookie can inject arbitrary OS command using semicolon (;) character in the web request.
Impacts
OS command injection vulnerabilities can lead to elevate shell access on OT server for the attacker.
Reference: CVE-2020-11794
Date: April 15th, 2020
Risk: High
Impact: Get access
Attack expertise: Skilled, Administrative user
Attack requirements: Remote
CVSS score: 8.0 (HIGH)
Brak komentarzy:
Prześlij komentarz
Proszę zostaw swój komentarz w celu dopowiedzenia tego czego ja nie wiedziałem lub wywołania ciekawej dyskusji. Wprowadziłem moderowanie komentarzy ze względu na dużą popularność bloga wśród różnych SEO botów :)