PT-2019-11872 · Glory · Glory Rbw-100
Published
2019-04-05
·
Updated
2019-04-09
·
CVE-2019-10478
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Glory RBW-100 devices with firmware ISP-K05-02 version 7.0.0
Description
An issue was discovered that allows attackers to upload supplied data due to an unrestricted file upload vulnerability in the Front Circle Controller
glytoolcgi/settingfile upload.cgi endpoint. This can be used to place attacker-controlled code on the filesystem that can be executed, potentially leading to a reverse root shell.Recommendations
For Glory RBW-100 devices with firmware ISP-K05-02 version 7.0.0, consider restricting access to the
glytoolcgi/settingfile upload.cgi endpoint until a patch is available. As a temporary workaround, disabling the file upload functionality in this endpoint can help minimize the risk of exploitation.Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Glory Rbw-100