漏洞标题
在Fidelis网络中的可验证命令注入漏洞和欺骗
漏洞描述信息
Fidelis 网络和欺骗中的已验证命令注入漏洞
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
Authenticated Command Injection Vulnerability in Fidelis Network and Deception
漏洞描述信息
Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “feed_comm_test” value for the “feed” parameter. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response via an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
漏洞标题
Fidelis Network Deception 命令注入漏洞
漏洞描述信息
Fidelis Network Deception是美国Fidelis公司的一款安全产品。用于检测威胁并防止数据丢失,有检测恶意行为、识别流量异常、自动响应高级威胁等功能。 Fidelis Network and Deception 9.4.5之前版本存在安全漏洞,该漏洞源于CommandPost的feed参数在使用feed_comm_test值时存在命令注入。攻击者利用该漏洞可以通过特殊的HTTP请求执行系统命令。
CVSS信息
N/A
漏洞类别
命令注入