CVE-2020-12078
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-12078
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-12078.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-12078
- Published
- 2020-04-28T14:15:14.203Z
- Modified
- 2025-11-14T10:10:51.704942Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in Open-AudIT 3.3.1. There is shell metacharacter injection via attributes to an open-audit/configuration/ URI. An attacker can exploit this by adding an excluded IP address to the global discovery settings (internally called excludeip). This excludeip value is passed to the exec function in the discoverieshelper.php file (inside the allip_list function) without being filtered, which means that the attacker can provide a payload instead of a valid IP address.
- References
-
- http://packetstormsecurity.com/files/157477/Open-AudIT-Professional-3.3.1-Remote-Code-Execution.html
- https://gist.github.com/mhaskar/dca62d0f0facc13f6364b8ed88d5a7fd
- https://github.com/Opmantek/open-audit/commit/6ffc7f9032c55eaa1c37cf5e070809b7211c7e9a
- https://shells.systems/open-audit-v3-3-1-remote-command-execution-cve-2020-12078/
Affected packages
Git / github.com/opmantek/open-audit
Affected ranges
- Type
- GIT
- Repo
- https://github.com/opmantek/open-audit
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Open-AudIT_1.*
Open-AudIT_1.12
Open-AudIT_1.12.2
Open-AudIT_1.12.2_1
Open-AudIT_1.12.4
Open-AudIT_1.12.6
Open-AudIT_1.12.8
Open-AudIT_1.12.8.1
Open-AudIT_1.12.8.2
Open-AudIT_1.14.2
Open-AudIT_1.8.2
Open-AudIT_2.*
Open-AudIT_2.0.1
Open-AudIT_2.0.1-1
Open-AudIT_2.0.1-2
Open-AudIT_2.0.10
Open-AudIT_2.0.11
Open-AudIT_2.0.2
Open-AudIT_2.0.2-1
Open-AudIT_2.0.4
Open-AudIT_2.0.6
Open-AudIT_2.0.6_beta
Open-AudIT_2.0.8
Open-AudIT_2.1
Open-AudIT_2.2.0
Open-AudIT_2.2.1
Open-AudIT_2.2.2
Open-AudIT_2.2.3
Open-AudIT_2.2.4
Open-AudIT_2.2.5
Open-AudIT_2.2.6
Open-AudIT_2.2.7
Open-AudIT_2.3.0
Open-AudIT_2.3.1
Open-AudIT_2.3.2
Open-AudIT_2.3.3
Open-AudIT_3.*
Open-AudIT_3.0.0
Open-AudIT_3.0.0_windows
Open-AudIT_3.0.1
Open-AudIT_3.0.2
Open-AudIT_3.1.0
Open-AudIT_3.1.1
Open-AudIT_3.1.2
Open-AudIT_3.2.0
Open-AudIT_3.2.1
Open-AudIT_3.2.2
Open-AudIT_3.3.0
Open-AudIT_3.3.1