CVE-2019-10656

Опубликовано: 30 мар. 2019

Источник: nvd

CVSS3: 8.8

CVSS2: 9

EPSS Низкий

Описание

Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call.

Ссылки

https://github.com/scarvell/grandstream_exploits
Third Party Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl=1
Third Party Advisory
https://github.com/scarvell/grandstream_exploits
Third Party Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl=1
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:grandstream:gwn7000_firmware:*:*:*:*:*:*:*:*

Версия до 1.0.6.32 (исключая)

cpe:2.3:h:grandstream:gwn7000:-:*:*:*:*:*:*:*

EPSS

Процентиль: 86%

0.02829

Низкий

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-x2rc-jmc3-v5q4