PT-2019-12953 · Hunesion · Hunesion I-Onenet

Published

2019-07-10

Updated

2023-02-28

CVE-2019-12803

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Hunesion i-oneNet versions 3.0.7 through 3.0.53 Hunesion i-oneNet versions 4.0.4 through 4.0.16

Description The issue arises from the specific upload web module not verifying the file extension and type, allowing an attacker to upload a webshell. After uploading the webshell, an attacker can use it to perform remote code execution, such as running system commands.

Recommendations For Hunesion i-oneNet versions 3.0.7 through 3.0.53, consider disabling the upload web module until a patch is available. For Hunesion i-oneNet versions 4.0.4 through 4.0.16, consider disabling the upload web module until a patch is available. As a temporary workaround, restrict access to the upload web module to minimize the risk of exploitation.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2019-12803

Affected Products

Hunesion I-Onenet

PT-2019-12953 · Hunesion · Hunesion I-Onenet

CVE-2019-12803

Weakness Enumeration

Related Identifiers

Affected Products

References · 3