Vulnerability Details : CVE-2020-8656
Public exploit exists!
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/api_functions.php.
Vulnerability category: Sql Injection
Products affected by CVE-2020-8656
- cpe:2.3:a:eyesofnetwork:eyesofnetwork:5.3-0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-8656
4.55%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2020-8656
-
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
Disclosure Date: 2020-02-06First seen: 2020-04-26exploit/linux/http/eyesofnetwork_autodiscovery_rceThis module exploits multiple vulnerabilities in EyesOfNetwork version 5.1, 5.2 and 5.3 in order to execute arbitrary commands as root. This module takes advantage of a command injection vulnerability in the `target` parameter of the AutoDiscovery functionality with
CVSS scores for CVE-2020-8656
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-8656
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-8656
-
http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.html
EyesOfNetwork AutoDiscovery Target Command Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/156266/EyesOfNetwork-5.3-Remote-Code-Execution.html
EyesOfNetwork 5.3 Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://github.com/EyesOfNetworkCommunity/eonapi/issues/16
Injection SQL sur le champ username de getApiKey · Issue #16 · EyesOfNetworkCommunity/eonapi · GitHubThird Party Advisory
Jump to