CVE-2017-17407

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager v7.2.699 build 1001. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the content parameter provided to the script_test.jsp endpoint. A crafted content request parameter can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code under the context of the web service. Was ZDI-CAN-5080.
References
Link Resource
https://zerodayinitiative.com/advisories/ZDI-17-954 Third Party Advisory VDB Entry
https://zerodayinitiative.com/advisories/ZDI-17-954 Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

cpe:2.3:a:netgain-systems:enterprise_manager:7.2.699:*:*:*:*:*:*:*

History

21 Nov 2024, 03:17

Type Values Removed Values Added
References () https://zerodayinitiative.com/advisories/ZDI-17-954 - Third Party Advisory, VDB Entry () https://zerodayinitiative.com/advisories/ZDI-17-954 - Third Party Advisory, VDB Entry

Information

Published : 2018-01-23 01:29

Updated : 2024-11-21 03:17


NVD link : CVE-2017-17407

Mitre link : CVE-2017-17407

CVE.ORG link : CVE-2017-17407


JSON object : View

Products Affected

netgain-systems

  • enterprise_manager
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-134

Use of Externally-Controlled Format String