Vincenzo Santucci

**Name of the Vulnerable Software and Affected Versions** Eve-NG Professional versions 4.0.1-65 and earlier Eve-NG Community versions 2.0.3-112 and earlier **Description** The issue allows a remote authenticated attacker to execute commands as root by editing virtualization command parameters of imported UNL files. This is due to an OS Command Injection vulnerability in the configuration parser. **Recommendations** For Eve-NG Professional versions 4.0.1-65 and earlier, update to a version later than 4.0.1-65 to resolve the issue. For Eve-NG Community versions 2.0.3-112 and earlier, update to a version later than 2.0.3-112 to resolve the issue. As a temporary workaround, consider restricting access to editing virtualization command parameters of imported UNL files until a patch is available.