| Título | Sangfor Operation and Maintenance Management System (OSM / 运维安全管理系统) 3.0.8 OS Command Injection |
|---|
| Descrição | A critical Remote Command Execution (RCE) vulnerability exists in the Sangfor Operation and Maintenance Security Management System (OSM) version 3.0.8. The vulnerability is located in the endpoint /isomp-protocol/protocol/session.
The application fails to properly sanitize user input in the HTTP POST request parameters when handling the SSH protocol. Code analysis reveals that the backend retrieves the keypassword parameter and directly concatenates it into a shell command string (specifically an ssh-keygen command). This string is subsequently executed by the system shell. |
|---|
| Fonte | ⚠️ https://github.com/LX-LX88/cve/issues/20 |
|---|
| Utilizador | LINXI666 (UID 91556) |
|---|
| Submissão | 10/01/2026 04h08 (há 6 meses) |
|---|
| Moderação | 22/01/2026 08h40 (12 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 342300 [Sangfor Operation and Maintenance Management System até 3.0.12 SSH Protocol session SessionController keypassword Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|