PT-2020-20435 · Iteris · Iteris Vantage Velocity Field Unit

Published

2020-02-17

Updated

2020-02-19

CVE-2020-9020

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Iteris Vantage Velocity Field Unit versions 2.3.1, 2.4.2, and 3.0

Description The issue allows the injection of OS commands into "cgi-bin/timeconfig.py" via shell metacharacters in the NTP Server field.

Recommendations For Iteris Vantage Velocity Field Unit version 2.3.1, avoid using shell metacharacters in the NTP Server field. For Iteris Vantage Velocity Field Unit version 2.4.2, avoid using shell metacharacters in the NTP Server field. For Iteris Vantage Velocity Field Unit version 3.0, avoid using shell metacharacters in the NTP Server field. As a temporary workaround, consider restricting access to the "cgi-bin/timeconfig.py" endpoint until a patch is available.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2020-9020

Affected Products

Iteris Vantage Velocity Field Unit

PT-2020-20435 · Iteris · Iteris Vantage Velocity Field Unit

CVE-2020-9020

Weakness Enumeration

Related Identifiers

Affected Products

References · 4