Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters. [已公开] id: CVE-2020-37123 info: name: Pinger 1.0 - Remote Code Execution author: bswearingen severity: critical description: | Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters. impact: | An unauthenticated attacker can execute arbitrary system commands on the server. remediation: | Remove Pinger or apply input validation to sanitize the ping and socket parameters. reference: - https://www.exploit-db.com/exploits/48323 - https://nvd.nist.gov/vuln/detail/CVE-2020-37123 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-37123 epss-score: 0.09915 epss-percentile: 0.92866 cwe-id: CWE-78 metadata: verified:

未知