CVE-2019-3931

Name of the Vulnerable Software and Affected Versions Crestron AM-100 version 1.6.0.2 Crestron AM-101 version 2.7.0.2

Description The issue allows a remote, authenticated attacker to perform argument injection to the curl binary via crafted HTTP requests to the "return.cgi" endpoint. This can lead to file uploads to the device and potentially execute code as root.

Recommendations For Crestron AM-100 version 1.6.0.2, consider restricting access to the "return.cgi" endpoint until a fix is available. For Crestron AM-101 version 2.7.0.2, avoid using the curl binary with crafted HTTP requests until the issue is resolved. As a temporary workaround, consider disabling the execution of code as root on the device until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.