CVE-2019-10478

Name of the Vulnerable Software and Affected Versions Glory RBW-100 devices with firmware ISP-K05-02 version 7.0.0

Description An issue was discovered that allows attackers to upload supplied data due to an unrestricted file upload vulnerability in the Front Circle Controller glytoolcgi/settingfile upload.cgi endpoint. This can be used to place attacker-controlled code on the filesystem that can be executed, potentially leading to a reverse root shell.

Recommendations For Glory RBW-100 devices with firmware ISP-K05-02 version 7.0.0, consider restricting access to the glytoolcgi/settingfile upload.cgi endpoint until a patch is available. As a temporary workaround, disabling the file upload functionality in this endpoint can help minimize the risk of exploitation.