PT-2021-10092 · Barco · Barco Transform N

Published

2021-01-08

Updated

2021-01-14

CVE-2020-17504

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Barco TransForm N versions prior to 3.8

Description: The NDN-210 device has a web administration panel accessible over https, where a command injection issue allows authenticated users to perform remote code execution. This issue is due to improper handling of the http parameters x modules and y modules in the ngpsystemcmd.php file.

Recommendations: For versions prior to 3.8, update to TransForm N version 3.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the ngpsystemcmd.php file and the x modules and y modules parameters to minimize the risk of exploitation.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2020-17504

Affected Products

Barco Transform N

PT-2021-10092 · Barco · Barco Transform N

CVE-2020-17504

Weakness Enumeration

Related Identifiers

Affected Products

References · 6