CVE-2012-10048
BaseFortify
Publication date: 2025-08-08
Last updated on: 2025-08-08
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zenoss | zenoss_core | 3.2.1 |
| zenoss | zenoss_core | 3.x |
| zenoss | zenoss_core | 4.1.70-1482 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in Zenoss Core 3.x within the showDaemonXMLConfig endpoint. The daemon parameter is passed directly to a Popen() call in the ZenossInfo.py script without proper input sanitization. This allows authenticated users to execute arbitrary commands on the server with the privileges of the zenoss user.
How can this vulnerability impact me? :
An attacker who is authenticated can exploit this vulnerability to execute arbitrary commands on the server as the zenoss user. This could lead to unauthorized access, data compromise, system manipulation, or further attacks within the affected environment.