PT-2019-13442 · Sahi · Sahi Pro

Akkus

Published

2019-07-14

Updated

2020-08-24

CVE-2019-13597

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Sahi Pro version 8.0.0

Description The issue allows command execution via the Player setScriptFile function in Sahi Pro. This enables running .sah scripts through Sahi Launcher and creating new scripts with an editor. It is also possible to execute commands on the server using the execute() function.

Recommendations For Sahi Pro version 8.0.0, consider disabling the execute() function as a temporary workaround until a patch is available. Restrict access to the Player setScriptFile function to minimize the risk of exploitation. Avoid using the Player setScriptFile function in the affected API endpoint until the issue is resolved.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2019-13597

Affected Products

Sahi Pro

PT-2019-13442 · Sahi · Sahi Pro

CVE-2019-13597

Weakness Enumeration

Related Identifiers

Affected Products

References · 4