CVE-2020-12775

CRITICAL

Hicos Citizen Certificate - Command Injection

Title source: llm
STIX 2.1

Description

Hicos citizen certificate client-side component does not filter special characters for command parameters in specific web URLs. An unauthenticated remote attacker can exploit this vulnerability to perform command injection attack to execute arbitrary system command, disrupt system or terminate service.

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
https://www.twcert.org.tw/tw/cp-132-5695-421a7-1.html
Patch, Vendor Advisory x_refsource_misc
https://moica.nat.gov.tw/rac_plugin.html

Scores

CVSS v3 9.8
EPSS 0.0291
EPSS Percentile 85.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (2)
moica/hicos < 1.3.4.12
moica/hicos < 3.0.0
Published Mar 01, 2022
Tracked Since Feb 18, 2026