CVE-2020-29552
CRITICAL WAF: High
CVSS 9.8
Published: 2020-12-23
CWE-78
An issue was discovered in URVE Build 24.03.2020. By using the _internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell+-c+" substring, it is possible to execute a Powershell command and redirect its output to a file under the web root.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| urve | urve | 24.03.2020 |
References
- packetstormsecurity.com (Exploit, Third Party Advisory, VDB Entry)
- seclists.org (Exploit, Mailing List, Third Party Advisory)
- urve.co.uk (Vendor Advisory)
- www.syss.de (Exploit, Third Party Advisory)