SB2019020806 - Command execution in Lifesize products
Published: February 8, 2019
Security Bulletin ID
SB2019020806
CSH Severity
High
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) OS Command Injection (CVE-ID: N/A)
The vulnerability allows a remote authenticated attacker to execute arbitrary shell commands.
The vulnerability exists due to a user input is taken as is from $_REQUEST['mtu_size'] and than passed without any validation into "shell_exec". A remote attacker can trick the victim into visiting a malicious page or opening a malicious file, inject arbitrary shell commands and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.