CVE-2020-7361
Summary
| CVE | CVE-2020-7361 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-08-06 16:15:00 UTC |
| Updated | 2020-08-10 16:57:00 UTC |
| Description | The EasyCorp ZenTao Pro application suffers from an OS command injection vulnerability in its '/pro/repo-create.html' component. After authenticating to the ZenTao dashboard, attackers may construct and send arbitrary OS commands via the POST parameter 'path', and those commands will run in an elevated SYSTEM context on the underlying Windows operating system. |
Risk And Classification
Problem Types: CWE-78
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Easycorp | Zentao Pro | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Add ZenTao Pro 8.8.2 Remote Code Execution module and docs by kalba-security · Pull Request #13828 · rapid7/metasploit-framework · GitHub | MISC | github.com | Exploit, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: This issue was discovered by Daniel Monzón.
There are currently no legacy QID mappings associated with this CVE.