Vulnerability Description
The WebControl in RaspberryTortoise through 2012-10-28 is vulnerable to remote code execution via shell metacharacters in a URI. The file nodejs/raspberryTortoise.js has no validation on the parameter incomingString before passing it to the child_process.exec function.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Raspberrytorte | Raspberrytortoise | <= 2012-10-28 |
Related Weaknesses (CWE)
References
- https://gist.github.com/PreethamBomma/e7b6d220790f95555dc2c5ac1d7d2f85ExploitThird Party Advisory
- https://github.com/raspberrytorte/tortoise/tree/master/nodejsExploitThird Party Advisory
- https://gist.github.com/PreethamBomma/e7b6d220790f95555dc2c5ac1d7d2f85ExploitThird Party Advisory
- https://github.com/raspberrytorte/tortoise/tree/master/nodejsExploitThird Party Advisory
FAQ
What is CVE-2020-15477?
CVE-2020-15477 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The WebControl in RaspberryTortoise through 2012-10-28 is vulnerable to remote code execution via shell metacharacters in a URI. The file nodejs/raspberryTortoise.js has no validation on the parameter...
How severe is CVE-2020-15477?
CVE-2020-15477 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-15477?
Check the references section above for vendor advisories and patch information. Affected products include: Raspberrytorte Raspberrytortoise.