CVE-2020-15492

CRITICAL

Inneo Startup Tools < 13.0.70.3804 - Path Traversal

Title source: rule

Description

An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact.

Exploits (2)

exploitdb WORKING POC

by Patrick Hener · gowebappsmultiple

https://www.exploit-db.com/exploits/48693

View Code ZIP pw:eip

nomisec WORKING POC

by patrickhener · poc

https://github.com/patrickhener/CVE-2020-15492

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/158556/INNEO-Startup-TOOLS-2018-M040-13.0.70.3804-Remote-Code-Execution.html

[Product, Vendor Advisory] https://www.inneo.co.uk/en/product-development/inneo-in-house-products/startup-tools.html

[Vendor Advisory] https://www.inneo.de/files/content/Produktentwicklung/Tools-und-Erweiterungen/Startup-TOOLS/INNEO-SA-SUT-2020-01.pdf

[Exploit, Third Party Advisory] https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-028.txt

[Third Party Advisory] https://www.syss.de/pentest-blog/2020/syss-2020-028-sicherheitsschwachstelle-in-inneo-startup-tools-2017-und-2018/

Scores

CVSS v3 9.8

EPSS 0.3774

EPSS Percentile 97.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

inneo/startup_tools 12.0.66.3784 - 13.0.70.3804

Published Jul 23, 2020

Tracked Since Feb 18, 2026