## https://sploitus.com/exploit?id=SAINT:12D923E478A5F12917E694F4DC11168D
Added: 04/30/2020
CVE: [CVE-2020-5847](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5847>)
### Background
[Unraid](<https://unraid.net/>) is a network-attached storage operating system. It runs a web-based graphical user interface (webGui) written in PHP.
### Problem
The Unraid webGui uses the PHP `**extract**` function to load all GET parameters into the application as variables, allowing a remote user to control any program variable, leading to command execution.
### Resolution
Upgrade to [Unraid](<https://unraid.net/>) 6.8.1 or higher.
### References
<https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/>