| Title | Sangfor Operation and Maintenance Management System (OSM / 运维安全管理系统) 3.0.8 OS Command Injection |
|---|
| Description | A critical Remote Command Execution (RCE) vulnerability exists in the Sangfor Operation and Maintenance Management System (OSM) version 3.0.8. The vulnerability is located in the /isomp-protocol/protocol/session endpoint.
The application fails to properly sanitize user input in the hostname parameter of an HTTP POST request. Code analysis reveals that the backend retrieves the hostname parameter and concatenates it directly into a shell command string (likely related to network connection tests or session initialization). This string is then executed by the system shell. Because the application does not filter shell metacharacters, an unauthenticated remote attacker can inject commands using a semicolon (;) or other operators. This allows the execution of arbitrary system commands with the privileges of the web service (typically root or tomcat). |
|---|
| Source | ⚠️ https://github.com/master-abc/cve/issues/14 |
|---|
| User | jiefengliang (UID 93721) |
|---|
| Submission | 12/30/2025 05:42 PM (2 months ago) |
|---|
| Moderation | 01/09/2026 06:12 PM (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 340347 [Sangfor Operation and Maintenance Management System up to 3.0.8 session SessionController Hostname os command injection] |
|---|
| Points | 20 |
|---|