#VU17440 OS Command Injection in Lifesize, Inc. products
Published: February 8, 2019
Vulnerability identifier: #VU17440
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Lifesize Networker
Lifesize Passport
Lifesize Room
Lifesize Team
Lifesize Networker
Lifesize Passport
Lifesize Room
Lifesize Team
Software vendor:
Lifesize, Inc.
Lifesize, Inc.
Description
The vulnerability allows a remote authenticated attacker to execute arbitrary shell commands.
The vulnerability exists due to a user input is taken as is from $_REQUEST['mtu_size'] and than passed without any validation into "shell_exec". A remote attacker can trick the victim into visiting a malicious page or opening a malicious file, inject arbitrary shell commands and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Cybersecurity Help is currently unaware of any official solution to address the vulnerability.