PT-2021-10090 · Barco · Barco Transform N

Published

2021-01-08

Updated

2021-01-13

CVE-2020-17502

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Barco TransForm N versions prior to 3.8

Description: The issue allows authenticated users of the administration panel to perform authenticated remote code execution due to a command injection problem. This problem exists in the split card cmd.php file, where the HTTP parameters xmodules, ymodules, and savelocking are not properly handled. The web administration panel is made available over HTTPS.

Recommendations: For versions prior to 3.8, update to version 3.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the split card cmd.php file and the HTTP parameters xmodules, ymodules, and savelocking to minimize the risk of exploitation.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2020-17502

Affected Products

Barco Transform N

PT-2021-10090 · Barco · Barco Transform N

CVE-2020-17502

Weakness Enumeration

Related Identifiers

Affected Products

References · 6