Presentation

An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the nmap_binary parameter to lilac/autodiscovery.php.

Exploit

EONRCEv3

Impacted Version(s)

EON 5.3 (All versions)

Fixed Version(s)

Not fixed.

Fix

Not fixed.

https://h4knet.medium.com/exploiting-sql-injections-in-eyesofnetwork-baacab0b9e7b https://github.com/EyesOfNetworkCommunity/eonweb/issues/76 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27887