Headline
CVE-2020-26124: New security updates available | openmediavault
openmediavault before 4.1.36 and 5.x before 5.5.12 allows authenticated PHP code injection attacks, via the sortfield POST parameter of rpc.php, because json_encode_safe is not used in config/databasebackend.inc. Successful exploitation allows arbitrary command execution on the underlying operating system as root.
The following versions needs to be updated immediately because of an authenticated PHP code injection vulnerability (CVE-2020-26124).
openmediavault 3.0.100
- Add Debian security repository.
- Disable jessie-backports repository.
- Fix ‘Authenticated PHP Code Injection’ reported by Anastasios Stasinopoulos (@ancst) – Obrela Labs Team.
openmediavault 4.1.36
- Fix ‘Authenticated PHP Code Injection’ reported by Anastasios Stasinopoulos (@ancst) – Obrela Labs Team.
openmediavault 5.5.12
- Update locales.
- Fix ‘Authenticated PHP Code Injection’ reported by Anastasios Stasinopoulos (@ancst) – Obrela Labs Team.
- Issue #816: If you have assigned a comment to a user, you can’t delete the comment.
- Issue #819: Dashboard on mobile not adjusting to 100% screen size.