CVE-2020-14414

Name of the Vulnerable Software and Affected Versions NeDi version 1.9C

Description The issue allows for Remote Command Execution due to improper escaping of shell metacharacters from a POST request in the pwsec.php file. An attacker can exploit this by sending a crafted payload containing shell metacharacters via a POST request with the pw parameter. This can also be exploited through Cross-Site Request Forgery (CSRF).

Recommendations For NeDi version 1.9C, as a temporary workaround, consider restricting access to the pwsec.php file to minimize the risk of exploitation. Avoid using the pw parameter in the affected POST request until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.