CVE-2020-4428

CVSS 9.1 CRITICALEPSS 61.7%● KEVCWE-78

In short

A vulnerability in IBM Data Risk Manager allows someone who has logged into the system to run any commands they want on the server. This is dangerous because an attacker could take full control of the system.

Technical detail

CWE-78 command injection vulnerability in IBM Data Risk Manager 2.0.1-2.0.4 allows authenticated remote attackers to execute arbitrary OS commands through unvalidated input passed to system command execution functions. Successful exploitation grants complete system compromise with the privileges of the application process.

Summary generated and translated by AI from the official description.

IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.

CVSS:3.0/AC:L/AV:N/S:C/A:H/C:H/PR:H/UI:N/I:H/E:U/RL:O/RC:C

Affected products

IBM · Data Risk Manager

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://seclists.org/fulldisclosure/2024/Nov/0 http://seclists.org/fulldisclosure/2024/Nov/1 https://exchange.xforce.ibmcloud.com/vulnerabilities/180533 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-4428 https://www.ibm.com/support/pages/node/6206875