PT-2019-19424 · Prima Systems · Flexair

Published

2019-06-05

Updated

2019-07-31

CVE-2019-9189

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Prima Systems FlexAir versions 2.4.9api3 and prior

Description The issue allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed due to root code execution, enabling an authenticated attacker to gain full system access.

Recommendations For versions 2.4.9api3 and prior, consider disabling the script upload feature in the main central controller configuration until a patch is available to prevent arbitrary Python script execution. Restrict access to the configuration interface to minimize the risk of exploitation.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2019-9189

Affected Products

Flexair

PT-2019-19424 · Prima Systems · Flexair

CVE-2019-9189

Weakness Enumeration

Related Identifiers

Affected Products

References · 8