EyesOfNetwork - Information system supervision solution

Presentation

It is possible to add files that will allow executing arbitrary commands for an EON user with sufficient rights to use the ITSM module. The ‘File’ field, when adding a configuration, does not check if the file format is the correct one.

Exploit

https://github.com/ArianeBlow/exploit-eyesofnetwork5.3.10/blob/main/PoC-BruteForceID-arbitraty-file-upload-RCE-PrivEsc.py

Impacted Version(s)

EON 5.3-0+

Fixed Version(s)

EON 5.3-11

Fix

Download latest EON fixed version.

Relevant link

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27513

https://github.com/EyesOfNetworkCommunity/eonweb/issues/87