CVE-2015-2845 : The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-142190280

The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1421902800 allows remote attackers to execute arbitrary commands via the $type portion of the PATH_INFO.

Published 2015-05-12 19:59:21

Updated 2018-10-09 19:56:33

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2015-2845

Goautodial » Goadmin Ce » Version: 3.0
cpe:2.3:a:goautodial:goadmin_ce:3.0:*:*:*:*:*:*:*
Matching versions
Goautodial » Goadmin Ce » Version: 3.3
cpe:2.3:a:goautodial:goadmin_ce:3.3:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-2845

EPSS FAQ

85.62%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2015-2845

GoAutoDial 3.3 Authentication Bypass / Command Injection

Disclosure Date: 2015-04-21

First seen: 2020-04-26

exploit/linux/http/goautodial_3_rce_command_injection

This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command

More information

CVSS scores for CVE-2015-2845

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2015-2845

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-2845

http://www.securityfocus.com/archive/1/535319/100/1100/threaded

SecurityFocus

CVEs referencing this url
http://www.securityfocus.com/bid/74281

GoAutoDial GoAdmin CE Multiple Security Vulnerabilities

CVEs referencing this url
https://www.exploit-db.com/exploits/42296/

GoAutoDial CE 3.3 - Authentication Bypass / Command Injection (Metasploit)

CVEs referencing this url
https://www.exploit-db.com/exploits/36807/

GoAutoDial CE 3.3-1406088000 - Authentication Bypass / Arbitrary File Upload / Command Injection
Exploit

CVEs referencing this url
http://goautodial.org/news/21

GoAdmin CE Security Vulnerability - GOautodial Omni-channel Contact Center Suite - GOautodial Open Source Omni-channel Contact Center Suite (predictive dialer + inbound IVR & ACD + non-voice)
Vendor Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/131543/GoAutoDial-SQL-Injection-Command-Execution-File-Upload.html

GoAutoDial SQL Injection / Command Execution / File Upload ≈ Packet Storm

CVEs referencing this url

Jump to