PT-2021-22243 · Nascent · Nascent Remkon Device Manager

Published

2021-08-24

Updated

2021-08-31

CVE-2021-38611

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions NASCENT RemKon Device Manager version 4.0.0.0

Description A command-injection issue in the Image Upload function allows attackers to execute arbitrary commands as root via shell metacharacters in the filename parameter to "assets/index.php".

Recommendations For NASCENT RemKon Device Manager version 4.0.0.0, consider disabling the Image Upload function until a patch is available to prevent exploitation. Restrict access to the "assets/index.php" endpoint to minimize the risk of command injection. Avoid using shell metacharacters in the filename parameter to prevent arbitrary command execution.

Exploit

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2021-38611

Affected Products

Nascent Remkon Device Manager

PT-2021-22243 · Nascent · Nascent Remkon Device Manager

CVE-2021-38611

Weakness Enumeration

Related Identifiers

Affected Products

References · 5