Main Vulnerability Database Vulnerabilities #VU48226

OS Command Injection in AVTECH Corporation products - #VU48226

Published: November 9, 2020

Vulnerability identifier: #VU48226

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
IP camera
DVR
NVR

Software vendor:
AVTECH Corporation

Description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in "/cgi-bin/supervisor/PwdGrp.cgi" and "/cgi-bin/supervisor/adcommand.cgi" scripts. A remote privileged user can pass specially crafted data to the application and execute arbitrary OS commands on the target system with root privileges.

Remediation

Install updates from vendor's website.

External links

https://www.exploit-db.com/exploits/40500/

OS Command Injection in AVTECH Corporation products - #VU48226

Description

Remediation

External links

Please verify you're human