| Vendor |
|
| Product | NetGain EM FreeEdition |
| Affected Version(s) | v10.0.9b51 and prior |
| Tested Version(s) | v10.0.9b51 |
| Vendor Notification | May 02, 2018 |
| Advisory Publication | April 30, 2018 [without technical details] |
| Vendor Fix | v10.0.57 |
| Public Disclosure | October 19, 2018 |
| Latest Modification | April 30, 2018 |
| CVE Identifier(s) | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10587 |
| Product Description | NetGain is an IT monitoring software. It provides one of the most comprehensive monitoring scope in the industry. Launched in 2002, NetGain Systems is a pioneer in the IT monitoring and protection business and has established teams in Singapore, China, Indonesia, Thailand, Malaysia and Australia. |
| Credits | Enrico Winata, Security Researcher & Penetration Tester @wizlynx group - Tan Peng Fei Eddie, Security Researcher & Penetration Tester @wizlynx group |
| Remote Command Execution | |||
| Severity: Critical | CVSS Score: 9.1 | CWE-ID: CWE-78 | Status: Not Fixed |
| Vulnerability Description | |||
| The web application running on NetGain EM is affected by operating system command injection vulnerabilities affecting version 10.0.9 and probably prior versions. An attacker can use shell metacharacters to modify the command that is executed and inject arbitrary further commands that will be executed by the server. This vulnerability may lead to compromise of the server hosting the application, or of the application's own data and functionality. It may also be possible to use the server as a platform for attacks against other systems. | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | Changed |
| Attack Complexity | Low | Confidentiality Impact | High |
| Privileges Required | High | Integrity Impact | High |
| User Interaction | None | Availability Impact | High |
Full details about the vulnerability will be disclosed once the vendor has provided a patch.