CVE-2020-12149
MEDIUMAruba EdgeConnect Enterprise 8.1-8.1.9.14 - Authenticated OS Command Injection via Configuration Backup Filename
Title source: llmDescription
The configuration backup/restore function in Silver Peak Unity ECOSTM (ECOS) appliance software was found to directly incorporate the user-controlled config filename in a subsequent shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. This vulnerability can be exploited by an attacker with authenticated access to the Orchestrator UI or EdgeConnect UI. This affects all ECOS versions prior to: 8.1.9.15, 8.3.0.8, 8.3.1.2, 8.3.2.0, 9.0.2.0, and 9.1.0.0.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://www.silver-peak.com/support/user-documentation/security-advisories
Scores
CVSS v3
6.8
EPSS
0.0037
EPSS Percentile
59.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
arubanetworks/edgeconnect_enterprise
8.1 - 8.1.9.15
Published
Dec 11, 2020
Tracked Since
Feb 18, 2026