Vulnerability Details CVE-2020-7357
Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page. This issue affects several branches and versions of the CMS application, including CME-SE, CMS-60, CMS-40, CMS-20, and CMS version 8.2, 8.0, and 7.5.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.78
EPSS Ranking 98.9%
CVSS Severity
CVSS v3 Score 9.6
CVSS v2 Score 9.0
References
- https://exchange.xforce.ibmcloud.com/vulnerabilities/182925
- https://github.com/rapid7/metasploit-framework/pull/13607
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php
- https://exchange.xforce.ibmcloud.com/vulnerabilities/182925
- https://github.com/rapid7/metasploit-framework/pull/13607
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php
Products affected by CVE-2020-7357
-
cpe:2.3:a:cayintech:cms-se:-
-
cpe:2.3:h:cayintech:cms-20:-
-
cpe:2.3:h:cayintech:cms-40:-
-
cpe:2.3:h:cayintech:cms-60:-
-
cpe:2.3:h:cayintech:cms-se-lxc:-
-
cpe:2.3:o:cayintech:cms-20_firmware:9.0
-
cpe:2.3:o:cayintech:cms-40_firmware:9.0
-
cpe:2.3:o:cayintech:cms-60_firmware:11.0
-
cpe:2.3:o:cayintech:cms-se-lxc_firmware:-
-
cpe:2.3:o:cayintech:cms-se_firmware:11.0
-
cpe:2.3:o:cayintech:cms:7.5
-
cpe:2.3:o:cayintech:cms:8.0
-
cpe:2.3:o:cayintech:cms:8.2