PT-2020-7392 · Zavio · Zavio Ip Cameras

Published

2020-01-29

Updated

2020-02-01

CVE-2013-2568

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Zavio IP Cameras versions 1.6.3 and earlier

Description: A Command Injection issue exists via the ap parameter to "/cgi-bin/mft/wireless mft.cgi" API endpoint, which could let a remote malicious user execute arbitrary code.

Recommendations: For Zavio IP Cameras versions 1.6.3 and earlier, as a temporary workaround, consider restricting access to the "/cgi-bin/mft/wireless mft.cgi" API endpoint to minimize the risk of exploitation. Avoid using the ap parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2013-2568

Affected Products

Zavio Ip Cameras

PT-2020-7392 · Zavio · Zavio Ip Cameras

CVE-2013-2568

Weakness Enumeration

Related Identifiers

Affected Products

References · 8