ZeroShell 3.9.5 has a command injection vulnerability in /cgi-bin/kerbynet IP parameter, which may allow an authenticated attacker to execute system commands.
CVSS
8.8
HIGH
Published
Jun 11, 2022
Loading
Vendor coverage
Track published CVEs, severity trends, and remediation context for zeroshell products.
Search results
Showing 1-4 of 4 vulnerabilities.
ZeroShell 3.9.5 has a command injection vulnerability in /cgi-bin/kerbynet IP parameter, which may allow an authenticated attacker to execute system commands.
CVSS
8.8
HIGH
Published
Jun 11, 2022
Zeroshell 3.9.3 contains a command injection vulnerability in the /cgi-bin/kerbynet StartSessionSubmit parameter that could allow an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character.
CVSS
9.8
CRITICAL
Published
Nov 30, 2020
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
CVSS
9.8
CRITICAL
Published
Jul 19, 2019
cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.
CVSS
10.0
UNKNOWN
Published
Feb 12, 2009