CVE-2021-33525

Name of the Vulnerable Software and Affected Versions EyesOfNetwork eonweb versions 5.3-11

Description The issue is related to the nagios path parameter in lilac/export.php, which does not properly neutralize special elements used in operating system commands. This can be exploited by a remote attacker to execute arbitrary commands. The vulnerability can be exploited via shell metacharacters in the nagios path parameter, as demonstrated by inserting an "&& curl" substring for the shell using %26%26+curl. The exploitation requires authenticated user access.

Recommendations For EyesOfNetwork eonweb versions 5.3-11, consider disabling access to the lilac/export.php endpoint until a patch is available, or restrict the use of the nagios path parameter to prevent the injection of shell metacharacters. Avoid using the nagios path parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.