PT-2021-9155 · Invigo · Invigo Automatic Device Management
Published
2021-03-25
·
Updated
2022-10-05
·
CVE-2020-10580
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Invigo Automatic Device Management (ADM) versions through 5.0
Description
A command injection issue in the
/admin/broadcast.php script allows remote authenticated attackers to execute arbitrary PHP code on the server as the user running the application.Recommendations
For Invigo Automatic Device Management (ADM) versions through 5.0, consider restricting access to the
/admin/broadcast.php script until a patch is available. As a temporary workaround, limit the privileges of the user running the application to minimize potential damage from arbitrary PHP code execution.Exploit
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Invigo Automatic Device Management