CVE-2024-7443

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in Vivotek IB8367A VVTK-0100b. Affected is the function getenv of the file upload_file.cgi. The manipulation of the argument QUERY_STRING leads to command injection. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-273528. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the affected release tree is end-of-life.
References
Link Resource
https://vuldb.com/?ctiid.273528 Permissions Required Third Party Advisory VDB Entry
https://vuldb.com/?id.273528 Permissions Required Third Party Advisory VDB Entry
https://vuldb.com/?submit.383844 Third Party Advisory VDB Entry
https://yjz233.notion.site/vivotek-IB8367A-has-command-injection-vulnerability-in-upload_file-cgi-899e5d529fb14b4189534b2b9830bfff?pvs=4 Permissions Required
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:vivotek:ib8367a_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:vivotek:ib8367a:-:*:*:*:*:*:*:*

History

06 Aug 2024, 17:47

Type Values Removed Values Added
CVSS v2 : 6.5
v3 : 6.3
v2 : 6.5
v3 : 9.8
References () https://vuldb.com/?ctiid.273528 - () https://vuldb.com/?ctiid.273528 - Permissions Required, Third Party Advisory, VDB Entry
References () https://vuldb.com/?id.273528 - () https://vuldb.com/?id.273528 - Permissions Required, Third Party Advisory, VDB Entry
References () https://vuldb.com/?submit.383844 - () https://vuldb.com/?submit.383844 - Third Party Advisory, VDB Entry
References () https://yjz233.notion.site/vivotek-IB8367A-has-command-injection-vulnerability-in-upload_file-cgi-899e5d529fb14b4189534b2b9830bfff?pvs=4 - () https://yjz233.notion.site/vivotek-IB8367A-has-command-injection-vulnerability-in-upload_file-cgi-899e5d529fb14b4189534b2b9830bfff?pvs=4 - Permissions Required
CPE cpe:2.3:o:vivotek:ib8367a_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:vivotek:ib8367a:-:*:*:*:*:*:*:*
First Time Vivotek
Vivotek ib8367a
Vivotek ib8367a Firmware

05 Aug 2024, 12:41

Type Values Removed Values Added
Summary
  • (es) ** NO SOPORTADO CUANDO SE ASIGNÓ ** Una vulnerabilidad clasificada como crítica ha sido encontrada en Vivotek IB8367A VVTK-0100b. La función getenv del archivo upload_file.cgi es afectada por la vulnerabilidad. La manipulación del argumento QUERY_STRING conduce a la inyección de comando. Es posible lanzar el ataque de forma remota. El identificador de esta vulnerabilidad es VDB-273528. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contactó primeramente con el proveedor y se confirmó que el árbol de lanzamiento afectado ha llegado al final de su vida útil.

03 Aug 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-03 19:15

Updated : 2024-08-06 17:47


NVD link : CVE-2024-7443

Mitre link : CVE-2024-7443

CVE.ORG link : CVE-2024-7443


JSON object : View

Products Affected

vivotek

  • ib8367a_firmware
  • ib8367a
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')