PT-2019-13310 · Dynacolor · Dynacolor Fcm-Mb40

Rose Blair

Published

2019-07-08

Updated

2020-08-24

CVE-2019-13398

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Dynacolor FCM-MB40 version 1.2.0.0

Description The issue allows remote attackers to execute arbitrary commands by providing a crafted parameter to a CGI script. This can be achieved through sed injection in the cgi-bin/camctrl save profile.cgi endpoint, specifically the save parameter, as well as in the cgi-bin/ddns.cgi endpoint.

Recommendations For Dynacolor FCM-MB40 version 1.2.0.0, consider restricting access to the cgi-bin/camctrl save profile.cgi and cgi-bin/ddns.cgi endpoints to minimize the risk of exploitation. Avoid using the save parameter in the cgi-bin/camctrl save profile.cgi endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2019-13398

Affected Products

Dynacolor Fcm-Mb40

PT-2019-13310 · Dynacolor · Dynacolor Fcm-Mb40

CVE-2019-13398

Weakness Enumeration

Related Identifiers

Affected Products

References · 4