CVE-2020-24985

HIGH

Quadbase EspressReports ES <7 - Command Injection

Title source: llm

Description

An issue was discovered in Quadbase EspressReports ES 7 Update 9. An authenticated user is able to navigate to the MenuPage section of the application, and change the frmsrc parameter value to retrieve and execute external files or payloads.

References (1)

[Exploit, Third Party Advisory] https://c41nc.co.uk/cve-2020-24985/

Scores

CVSS v3 8.1

EPSS 0.0067

EPSS Percentile 71.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-829

Status published

Products (1)

quadbase/espressdashboard 7.0 update9

Published Mar 15, 2021

Tracked Since Feb 18, 2026