| Title | Sangfor Operation and Maintenance Security Management System (OSM / 运维安全管理系统) v3.0.12 Command Injectiona |
|---|
| Description | A critical Remote Command Execution (RCE) vulnerability exists in the Sangfor Operation and Maintenance Security Management System (OSM). The vulnerability is located in the endpoint /fort/audit/get_clip_img.
The application fails to properly sanitize user input in the HTTP POST request parameters when handling clipboard image retrieval. Code analysis reveals that the backend retrieves the frame and dirno parameters and directly concatenates them into a shell command string. This string is subsequently executed by the system shell via ShellExecutor. This interface is accessible without authentication (No Auth). |
|---|
| Source | ⚠️ https://github.com/LX-LX88/cve/issues/22 |
|---|
| User | hhsw34 (UID 91076) |
|---|
| Submission | 01/12/2026 10:29 (3 months ago) |
|---|
| Moderation | 01/25/2026 10:50 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 342801 [Sangfor Operation and Maintenance Security Management System HTTP POST Request /fort/audit/get_clip_img command injection] |
|---|
| Points | 20 |
|---|