CVE-2020-12078

Name: CVE-2020-12078
Creator: NVD / NIST
Published: 2020-04-28T14:15:14.203+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 10.00%

Last modified Jun 17, 2026

CVE-2020-12078 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. An issue was discovered in Open-AudIT 3.3.1. There is shell metacharacter injection via attributes to an open-audit/configuration/ URI. EPSS estimates a 10.00% chance of exploitation in the next 30 days.

Description

An issue was discovered in Open-AudIT 3.3.1. There is shell metacharacter injection via attributes to an open-audit/configuration/ URI. An attacker can exploit this by adding an excluded IP address to the global discovery settings (internally called exclude_ip). This exclude_ip value is passed to the exec function in the discoveries_helper.php file (inside the all_ip_list function) without being filtered, which means that the attacker can provide a payload instead of a valid IP address.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

10.00%

95.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-78

Affected Software

Vendor	Product	Versions
Opmantek	Open-Audit	3.3.1

References

http://packetstormsecurity.com/files/157477/Open-AudIT-Professional-3.3.1-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
https://gist.github.com/mhaskar/dca62d0f0facc13f6364b8ed88d5a7fdExploit, Third Party Advisory
https://github.com/Opmantek/open-audit/commit/6ffc7f9032c55eaa1c37cf5e070809b7211c7e9aPatch, Third Party Advisory
https://shells.systems/open-audit-v3-3-1-remote-command-execution-cve-2020-12078/Exploit, Third Party Advisory
http://packetstormsecurity.com/files/157477/Open-AudIT-Professional-3.3.1-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
https://gist.github.com/mhaskar/dca62d0f0facc13f6364b8ed88d5a7fdExploit, Third Party Advisory
https://github.com/Opmantek/open-audit/commit/6ffc7f9032c55eaa1c37cf5e070809b7211c7e9aPatch, Third Party Advisory
https://shells.systems/open-audit-v3-3-1-remote-command-execution-cve-2020-12078/Exploit, Third Party Advisory

Timeline

Published: Apr 28, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-12078?

How severe is CVE-2020-12078?

CVE-2020-12078 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 10.00% probability of exploitation in the next 30 days.

How do I fix CVE-2020-12078?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-12078?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST