CVE-2020-13942
Description
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.
Severity: CRITICAL
CVE ID: CVE-2020-13942
CVSS Score: 9.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Proof Of Concept
Nuclei Templates for CVE-2020-13942
Refrence: Project Discovery GitHub
lp008
Refrence: GitHub
eugenebmx
CVE-2020-13942 unauthenticated RCE POC through MVEL and OGNL injection
Refrence: GitHub
shifa123
CVE-2020-13942 POC + Automation Script
Refrence: GitHub
blackmarketer
Refrence: GitHub
yaunsky
CVE-2020-13942 Apache Unomi 远程代码执行漏洞脚getshell
Refrence: GitHub
hoanx4
Apache Unomi CVE-2020-13942: RCE Vulnerabilities
Refrence: GitHub
Prodrious
Refrence: GitHub
Content on GitHub
1135 | watchers:6
unomi_exploit
CVE-2020-11975 CVE-2020-13942
Refrence: GitHub
zhzyker | watchers:3278
vulmap
Vulmap 是一款 web 漏洞扫描和验证工具, 可对 webapps 进行漏洞扫描, 并且具备漏洞验证功能
Refrence: GitHub