CVE-2020-29552

Name of the Vulnerable Software and Affected Versions URVE Build 24.03.2020

Description An issue was discovered in URVE. By using the " internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell+-c+" substring, it is possible to execute a Powershell command and redirect its output to a file under the web root.

Recommendations As a temporary workaround, consider restricting access to the " internal/pc/vpro.php" endpoint until a patch is available. Avoid using the mac, ip, operation, usr, and pass parameters in the affected API endpoint until the issue is resolved. Restrict the ability to execute Powershell commands through the vulnerable substring to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.