Page tree
Skip to end of metadata
Go to start of metadata


This issue affects all installations of Open-AudIT prior to version 3.2.0.

A new version of Open-AudIT is available from and

Users are advised to upgrade ASAP to Open-AudIT 3.2.0.

This issue was reported to us by Jack Cable (thanks Jack). A link the the CVE is


If an authenticated user with Discovery Create permissions deliberately injects characters into the field that contains the URL on the Create Discoveries template, the field contents will be passed to the command line that runs the discovery script and be executed. The user can inject any command.

The issue has been addressed by filtering any characters for this input that are not:


This filtering occurs both at time of submission and upon command creation.

Severity: Low

The conditions of successful exploitation are that the attacker must have a role with the ability to edit discoveries in Open-AudIT and maliciously insert characters to break the command execution.

Products Affected

Open-AudIT 3.1.2 and earlier.

Available Updates

A patch for the issue described in this bulletin is available in the Open-AudIT v3.2.0 release. This release is available from and

Workarounds and Mitigations

Upgrade to Open-AudIT 3.2.0.

The issue was addressed by Opmantek and upgrading to Open-AudIT 3.2.0 will include this fix and remove the issue. 

The preferred method of mitigation is an upgrade to Open-AudIT 3.2.0.

  • No labels