CVE-2020-8868

Published: Mar 23, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest Foglight Evolve 9.0.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the __service__ user account. The product contains a hard-coded password for this account. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-9553.

Affected (1)

Products: Quest: Foglight Evolve

1 product

Foglight Evolve

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Quest Foglight Evolve	Version 9.0.0

Related CWEs

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

References (4)

https://support.quest.com/foglight/kb/315091/fms-5-9-5-hotfix-hfix-314

Source: zdi-disclosures@trendmicro.com

Vendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-20-290/

Source: zdi-disclosures@trendmicro.com

Third Party AdvisoryVDB Entry

https://support.quest.com/foglight/kb/315091/fms-5-9-5-hotfix-hfix-314

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-20-290/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

Timeline

No history available yet.