Description

A remote code execution vulnerability exists in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via the LogService.

Remediation

Upgrade to the latest version of MobileIron.

References

CVE-2020-15505

How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM

MobileIron Security Updates Available

Related Vulnerabilities

Ektron CMS unauthenticated code execution and Local File Read

Drupal Core 5.x Arbitrary Code Execution (5.0 - 5.2)

WordPress Plugin ThemeREX Addons Remote Code Execution (All)

WordPress Plugin WordPress Mega Menu-QuadMenu Remote Code Execution (2.0.6)

Microsoft Exchange Server Pre-auth Path Confusion vulnerability (CVE-2021-34473)

Severity

High

Classification

CVE-2020-15505 CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution