PT-2021-23503 · Visual Tools · Visual Tools Dvr Vx16

Andrea Dubaldo

Published

2021-10-07

Updated

2021-10-15

CVE-2021-42071

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Visual Tools DVR VX16 version 4.2.28.0

Description An unauthenticated attacker can achieve remote command execution via shell metacharacters in the "cgi-bin/slogin/login.py" API endpoint, specifically in the User-Agent HTTP header.

Recommendations For Visual Tools DVR VX16 version 4.2.28.0, consider restricting access to the "cgi-bin/slogin/login.py" API endpoint until a patch is available. As a temporary workaround, avoid using shell metacharacters in the User-Agent HTTP header to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2021-42071

Affected Products

Visual Tools Dvr Vx16

PT-2021-23503 · Visual Tools · Visual Tools Dvr Vx16

CVE-2021-42071

Weakness Enumeration

Related Identifiers

Affected Products

References · 7