PT-2020-7394 · Zavio · Zavio Ip Cameras

Published

2020-01-29

Updated

2020-02-01

CVE-2013-2570

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions: Zavio IP Cameras versions 1.6.3 and earlier

Description: A Command Injection issue exists in the General.Time.NTP.Server parameter to the sub C8C8 function of the binary /opt/cgi/view/param, which could let a remote malicious user execute arbitrary code.

Recommendations: For versions 1.6.3 and earlier, consider restricting access to the General.Time.NTP.Server parameter to minimize the risk of exploitation. As a temporary workaround, consider disabling the sub C8C8 function of the binary /opt/cgi/view/param until a patch is available. Avoid using the General.Time.NTP.Server parameter in the affected binary until the issue is resolved.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2013-2570

Affected Products

Zavio Ip Cameras

PT-2020-7394 · Zavio · Zavio Ip Cameras

CVE-2013-2570

Weakness Enumeration

Related Identifiers

Affected Products

References · 7