CVE-2019-10658

Опубликовано: 30 мар. 2019

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.

Ссылки

https://github.com/scarvell/grandstream_exploits
Third Party Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl=1
Third Party Advisory
https://github.com/scarvell/grandstream_exploits
Third Party Advisory
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl=1
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:grandstream:gwn7610_firmware:*:*:*:*:*:*:*:*

Версия до 1.0.8.18 (исключая)

cpe:2.3:h:grandstream:gwn7610:-:*:*:*:*:*:*:*

EPSS

Процентиль: 84%

0.0223

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-592x-9cgq-g8gh