CVE-2024-8958
published 2025-03-20CVE-2024-8958: In composiohq/composio version 0.4.3, there is an unrestricted file write and read vulnerability in the filetools actions. Due to improper validation of file…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.29%
66.7th percentile
In composiohq/composio version 0.4.3, there is an unrestricted file write and read vulnerability in the filetools actions. Due to improper validation of file paths, an attacker can read and write files anywhere on the server, potentially leading to privilege escalation or remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| composio | composio | — | — |
| composiohq | composiohq_composio | unspecified – latest | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)
suricata·2021-11-17·CVSS 7.2
CVE-2020-8958 [HIGH] ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)
ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"boaform/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr=%3B"; nocase; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; reference:url,www.karansaini.com/os-command-injection-v-sol/; reference:cve,2020-8958; classtype:attempted-admin; sid:2034488; rev:4; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_8958, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_03_26, mitre_tactic_id TA0
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published