⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2020-25494OS Command Injection in Openserver

CWE-78OS Command InjectionCWE-88Argument Injection7 documents6 sources
Severity
9.8CRITICALNVD
EPSS
60.6%
top 1.71%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Xinuos Openserver
Timeline
PublishedDec 18
Latest updateMay 24

Description

Xinuos (formerly SCO) Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels parameter to cgi-bin/printbook.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDxinuos/openserver5.0.7, 6.0+1

🔴Vulnerability Details

2
GHSA
GHSA-6m4v-96f3-85ph: Xinuos (formerly SCO) Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels paramete2022-05-24
VulnCheck
xinuos openserver Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')2020

💥Exploits & PoCs

1
Exploit-DB
SCO Openserver 5.0.7 - 'outputform' Command Injection2020-12-21

🕵️Threat Intelligence

3
Unit42
Network Security Trends: May-July 20212021-09-17
Unit42
Network Security Trends: May-July 20212021-09-17
Greynoiseio
Malicious Tag Roundup (Jun 7-18, 2021)