CVE-2019-17270

Name of the Vulnerable Software and Affected Versions Yachtcontrol versions through 2019-10-06

Description The issue exists due to the lack of measures to neutralize special elements used in operating system commands. This allows a remote attacker to execute arbitrary code using a specially crafted page /pages/systemcall.php?command={COMMAND} by connecting through GPRS/4G networks. An unauthenticated user can perform direct operating system commands via the /pages/systemcall.php page and the command parameter, where the {COMMAND} will be executed and return results to the client.

Recommendations For Yachtcontrol versions through 2019-10-06, consider disabling access to the /pages/systemcall.php page as a temporary workaround until a patch is available. Restrict the use of the command parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.