PT-2020-13340 · Noviflow · Noviware

Published

2020-08-17

Updated

2020-08-21

CVE-2020-13122

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions NoviFlow NoviWare versions prior to NW500.2.12

Description The novish command-line interface in NoviFlow NoviWare is susceptible to command injection via the "show status destination ipaddr" command. This issue could be exploited by a read-only user or an admin to execute commands on the operating system.

Recommendations For versions prior to NW500.2.12, update to version NW500.2.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the "show status destination ipaddr" command to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2020-13122

Affected Products

Noviware

PT-2020-13340 · Noviflow · Noviware

CVE-2020-13122

Weakness Enumeration

Related Identifiers

Affected Products

References · 3