CVE-2024-7443

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in Vivotek IB8367A VVTK-0100b. Affected is the function getenv of the file upload_file.cgi. The manipulation of the argument QUERY_STRING leads to command injection. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-273528. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the affected release tree is end-of-life.

CVSS v3 9.8 CRITICAL
CVSS v2.0 6.5 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://vuldb.com/?ctiid.273528	Permissions Required Third Party Advisory VDB Entry
https://vuldb.com/?id.273528	Permissions Required Third Party Advisory VDB Entry
https://vuldb.com/?submit.383844	Third Party Advisory VDB Entry
https://yjz233.notion.site/vivotek-IB8367A-has-command-injection-vulnerability-in-upload_file-cgi-899e5d529fb14b4189534b2b9830bfff?pvs=4	Permissions Required

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:vivotek:ib8367a_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:vivotek:ib8367a:-:*:*:*:*:*:*:*

History

06 Aug 2024, 17:47

Type	Values Removed	Values Added
CVSS	v2 : ~~6.5~~ v3 : ~~6.3~~	v2 : 6.5 v3 : 9.8
References	~~() https://vuldb.com/?ctiid.273528 -~~	() https://vuldb.com/?ctiid.273528 - Permissions Required, Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?id.273528 -~~	() https://vuldb.com/?id.273528 - Permissions Required, Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.383844 -~~	() https://vuldb.com/?submit.383844 - Third Party Advisory, VDB Entry
References	~~() https://yjz233.notion.site/vivotek-IB8367A-has-command-injection-vulnerability-in-upload_file-cgi-899e5d529fb14b4189534b2b9830bfff?pvs=4 -~~	() https://yjz233.notion.site/vivotek-IB8367A-has-command-injection-vulnerability-in-upload_file-cgi-899e5d529fb14b4189534b2b9830bfff?pvs=4 - Permissions Required
CPE		cpe:2.3:o:vivotek:ib8367a_firmware:-:::::::* cpe:2.3:h:vivotek:ib8367a:-:::::::*
First Time		Vivotek Vivotek ib8367a Vivotek ib8367a Firmware

05 Aug 2024, 12:41

Type	Values Removed	Values Added
Summary		(es) NO SOPORTADO CUANDO SE ASIGNÓ Una vulnerabilidad clasificada como crítica ha sido encontrada en Vivotek IB8367A VVTK-0100b. La función getenv del archivo upload_file.cgi es afectada por la vulnerabilidad. La manipulación del argumento QUERY_STRING conduce a la inyección de comando. Es posible lanzar el ataque de forma remota. El identificador de esta vulnerabilidad es VDB-273528. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contactó primeramente con el proveedor y se confirmó que el árbol de lanzamiento afectado ha llegado al final de su vida útil.

03 Aug 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-03 19:15

Updated : 2024-08-06 17:47

NVD link : CVE-2024-7443

Mitre link : CVE-2024-7443

CVE.ORG link : CVE-2024-7443

JSON object : View

Products Affected

vivotek

ib8367a_firmware
ib8367a

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

9.8 /10