CVE-2020-6144
10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The username variable which is set at line 121 in install/Step5.php allows for injection of PHP code into the Data.php file that it writes. An attacker can send an HTTP request to trigger this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | OS4Ed | OS4Ed openSIS 7.4 | affected |
Weaknesses
- CWE-96: CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.