cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.
Recent assessments:
hrbrmstr at September 10, 2020 2:42pm UTC reported:
MSF module — <https://www.rapid7.com/db/modules/exploit/unix/webapp/zeroshell_exec>
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5