CVE-2020-25560

Name of the Vulnerable Software and Affected Versions: SapphireIMS version 5.0

Description: The issue allows an attacker to use hardcoded credentials in clients, with the username: sapphire and password: ims, to gain access to the portal. Once access is obtained, the attacker can inject malicious OS commands on functions such as "ping", "traceroute", and "snmp" and execute code on the server. This is also possible if the JSESSIONID is completely removed.

Recommendations: For SapphireIMS version 5.0, consider changing the hardcoded credentials to unique and secure credentials for each client, and restrict access to the "ping", "traceroute", and "snmp" functions to minimize the risk of exploitation. Additionally, implement measures to prevent JSESSIONID removal or tampering. At the moment, there is no information about a newer version that contains a fix for this vulnerability.