PT-2021-10692 · Unknown · Unibox U-50+2

Kaustubh Padwad

Published

2021-04-09

Updated

2021-04-14

CVE-2020-21883

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Unibox U-50 version 2.4 UniBox Enterprise Series version 2.4 UniBox Campus Series version 2.4

Description: The issue is related to an OS command injection vulnerability. This vulnerability is present in the "/tools/ping" API endpoint, which can lead to complete device takeover.

Recommendations: For Unibox U-50 version 2.4, consider restricting access to the "/tools/ping" API endpoint until a patch is available. For UniBox Enterprise Series version 2.4, avoid using the vulnerable "/tools/ping" endpoint to minimize the risk of exploitation. For UniBox Campus Series version 2.4, as a temporary workaround, consider disabling the functionality related to the "/tools/ping" endpoint until a fix is provided.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2020-21883

Affected Products

Unibox Campus Series

Unibox Enterprise Series

Unibox U-50

PT-2021-10692 · Unknown · Unibox U-50+2

CVE-2020-21883

Weakness Enumeration

Related Identifiers

Affected Products

References · 6