← back
CVE-2020-7361

ZenTao Pro Command Injection

CVSS 9.6 CRITICALEPSS 17.2%CWE-78
Vexday Risk Score
48Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.6EPSS 17.2%KEV nãoPoC Nuclei Metasploit simPatch
Lifecycle
20 Jun 2020Metasploit module available
06 Aug 2020Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The EasyCorp ZenTao Pro application suffers from an OS command injection vulnerability in its '/pro/repo-create.html' component. After authenticating to the ZenTao dashboard, attackers may construct and send arbitrary OS commands via the POST parameter 'path', and those commands will run in an elevated SYSTEM context on the underlying Windows operating system.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected products
EasyCorp · ZenTao Pro

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/rapid7/metasploit-framework/pull/13828