CVE-2017-17407

Name of the Vulnerable Software and Affected Versions NetGain Systems Enterprise Manager version 7.2.699 build 1001

Description This issue allows remote attackers to execute arbitrary code on vulnerable installations. Authentication is not required to exploit this issue. The flaw exists within the handling of the content parameter provided to the "script test.jsp" endpoint. A crafted content request parameter can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this issue to execute code under the context of the web service.

Recommendations For NetGain Systems Enterprise Manager version 7.2.699 build 1001, consider disabling access to the "script test.jsp" endpoint until a patch is available. Avoid using the content parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.