{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "18.04" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "9.0" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "10.0" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "1.81" }, { "last_affected": "2.0.7" } ] }, "events": [ { "introduced": "54139d81eba1c9200c6b07f65bdba03a301cd3c2" }, { "last_affected": "c5aa1e300105578f3c3c025b367f4d2725ae5b5d" } ], "repo": "https://github.com/erlyaws/yaws", "type": "GIT" } ] } ], "details": "CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection.", "id": "CVE-2020-24916", "modified": "2026-03-15T13:44:20.367852756Z", "published": "2020-09-09T19:15:21.147Z", "references": [ { "type": "ADVISORY", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00022.html" }, { "type": "ADVISORY", "url": "https://usn.ubuntu.com/4569-1/" }, { "type": "ADVISORY", "url": "https://www.debian.org/security/2020/dsa-4773" }, { "type": "FIX", "url": "https://github.com/erlyaws/yaws/commits/master" }, { "type": "EVIDENCE", "url": "https://github.com/vulnbe/poc-yaws-cgi-shell-injection" }, { "type": "EVIDENCE", "url": "https://packetstormsecurity.com/files/159106/Yaws-2.0.7-XML-Injection-Command-Injection.html" }, { "type": "EVIDENCE", "url": "https://vuln.be/post/yaws-xxe-and-shell-injections/" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }