CVE-2020-14412

Name of the Vulnerable Software and Affected Versions NeDi version 1.9C

Description The issue allows for Remote Command Execution due to improper escaping of shell metacharacters from a POST request in System-Snapshot.php. An attacker can exploit this by sending a crafted payload containing shell metacharacters via a POST request with the psw parameter. This can also be exploited through Cross-Site Request Forgery (CSRF).

Recommendations For NeDi version 1.9C, as a temporary workaround, consider restricting access to the System-Snapshot.php file to minimize the risk of exploitation. Avoid using the psw parameter in the affected POST request until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.