IBM Spectrum Protect Plus uploadHttpsCertificate Command Injection

Strike ID:
E20-11ox1
CVSS:
8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
False Positive:
f
Variants:
1
Year:
2020

Description

This strike exploits a command injection vulnerability in IBM Spectrum Protect Plus. The vulnerability is due to a lack of input sanitization for injection or invalid characters in the filename parameter. When an attacker sends an HTTP POST request to the "/emi/api/uploadhttpscertificate" URI, command execution can occur.

CVE