PT-2019-10185 · Remedia It · Nedi

Published

2019-01-17

Updated

2019-10-03

CVE-2018-20727

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: NeDi versions prior to 1.7Cp3

Description: The issue allows authenticated users to execute code on the server side. This can be achieved via the flt parameter to "Nodes-Traffic.php", the dv parameter to "Devices-Graph.php", or the tit parameter to "drawmap.php".

Recommendations: For versions prior to 1.7Cp3, update to version 1.7Cp3 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected parameters flt, dv, and tit in the respective PHP files until the update is applied.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2018-20727

Affected Products

Nedi

PT-2019-10185 · Remedia It · Nedi

CVE-2018-20727

Weakness Enumeration

Related Identifiers

Affected Products

References · 4