CVE-2020-26238

HIGH Year: 2020
CVSS v3 Score
8.1
High
CVSS v2 Score
6.8
Medium
Weakness Type
CWE-74
View all →

Vulnerability Description

Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils before version 9.1.3, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched in version 9.1.3.

Related Vulnerabilities

CVE-2013-2678

HIGH
CVSS:8.1(High)

Cisco Linksys E4200 1.0.05 Build 7 routers contain a Local File Include Vulnerability which could allow remote attackers to obtain sensitive information or execute arbitrary code by sending a crafted ...

CWE-742013

CVE-2013-3212

HIGH
CVSS:8.1(High)

vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code.

CWE-742013

CVE-2015-4075

HIGH
CVSS:8.1(High)

The Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to write to arbitrary .ini files via a crafted language.save task.

CWE-742015

CVE-2016-10845

HIGH
CVSS:8.1(High)

cPanel before 11.54.0.4 allows arbitrary file-overwrite operations in scripts/check_system_storable (SEC-78).

CWE-742016

CVE-2016-10847

HIGH
CVSS:8.1(High)

cPanel before 11.54.0.4 allows arbitrary file-read and file-write operations via scripts/fixmailboxpath (SEC-80).

CWE-742016

CVE-2018-1000130

HIGH
CVSS:8.1(High)

A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server.

CWE-742018