PT-2018-5431 · Planex · Planex Cs-Qr20

Kenney Lu

Published

2018-08-24

Updated

2018-11-05

CVE-2017-12577

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: PLANEX CS-QR20 version 1.30

Description: A security issue was found where a hardcoded account and password, admin and password, are used in the Android application. This allows attackers to utilize a hidden API URL "/goform/SystemCommand" to execute any command with root permission.

Recommendations: For PLANEX CS-QR20 version 1.30, consider changing the default admin password to a strong and unique one, and restrict access to the "/goform/SystemCommand" API endpoint to prevent unauthorized command execution. As a temporary workaround, consider disabling the use of the hardcoded admin account until a patch is available.

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798

Related Identifiers

CVE-2017-12577

Affected Products

Planex Cs-Qr20

PT-2018-5431 · Planex · Planex Cs-Qr20

CVE-2017-12577

Weakness Enumeration

Related Identifiers

Affected Products

References · 3