CVE-2019-3495

Опубликовано: 21 мар. 2019

Источник: nvd

CVSS3: 8.8

CVSS2: 9

EPSS Низкий

Описание

An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x devices. network/mesh/edit-nds.php is vulnerable to arbitrary file upload, allowing an attacker to upload .php files and execute code on the server with root user privileges. Authentication for accessing this component can be bypassed by using Hard coded credentials.

Ссылки

http://packetstormsecurity.com/files/151077/Wifi-soft-Unibox-2.x-Remote-Command-Code-Injection.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2019/Jan/23
Exploit
Mailing List
Third Party Advisory
https://sahildhar.github.io/blogpost/Multiple-RCE-Vulnerabilties-in-Unibox-Controller-0.x-3.x/
Exploit
Third Party Advisory
http://packetstormsecurity.com/files/151077/Wifi-soft-Unibox-2.x-Remote-Command-Code-Injection.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2019/Jan/23
Exploit
Mailing List
Third Party Advisory
https://sahildhar.github.io/blogpost/Multiple-RCE-Vulnerabilties-in-Unibox-Controller-0.x-3.x/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:indionetworks:unibox_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:indionetworks:unibox:-:*:*:*:*:*:*:*

EPSS

Процентиль: 78%

0.01143

Низкий

8.8 High

CVSS3

9 Critical

CVSS2

Дефекты

CWE-434

Связанные уязвимости

GHSA-x3p7-m76v-6jxc