PT-2019-15850 · Zmanda · Zmanda Management Console

Robertchrk

Published

2019-12-01

Updated

2020-08-24

CVE-2019-19469

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Zmanda Management Console version 3.3.9

Description The issue allows for CSRF, as demonstrated by command injection with shell metacharacters, potentially due to weak default credentials. This can be exploited through the "ZMC Admin Advanced?form=adminTasks&action=Apply&command=" API endpoint.

Recommendations For Zmanda Management Console version 3.3.9, consider disabling the ZMC Admin Advanced function or restricting access to the "ZMC Admin Advanced?form=adminTasks&action=Apply&command=" endpoint until a patch is available. Additionally, changing default credentials to stronger ones may help mitigate the risk.

Exploit

Fix

CSRF

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352CWE-78

Related Identifiers

CVE-2019-19469

Affected Products

Zmanda Management Console

PT-2019-15850 · Zmanda · Zmanda Management Console

CVE-2019-19469

Weakness Enumeration

Related Identifiers

Affected Products

References · 3