PT-2018-13461 · Moxa · Moxa Edr-810

Tim124058

Published

2018-09-20

Updated

2018-11-05

CVE-2018-16282

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Moxa EDR-810 version 4.2 build 18041013

Description A command injection issue in the web server functionality allows remote attackers to execute arbitrary OS commands with root privilege. This is achieved via the caname parameter to the "/xml/net WebCADELETEGetValue" API endpoint.

Recommendations For Moxa EDR-810 version 4.2 build 18041013, avoid using the caname parameter in the "/xml/net WebCADELETEGetValue" API endpoint until the issue is resolved. Restrict access to this endpoint to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2018-16282

Affected Products

Moxa Edr-810

PT-2018-13461 · Moxa · Moxa Edr-810

CVE-2018-16282

Weakness Enumeration

Related Identifiers

Affected Products

References · 4