Vulnerability CVE-2017-12576
Published: 2018-08-24

Description:
An issue was discovered on the PLANEX CS-QR20 1.30. A hidden and undocumented management page allows an attacker to execute arbitrary code on the device when the user is authenticated. The management page was used for debugging purposes, once you login and access the page directly (/admin/system_command.asp), you can execute any command.

See advisories in our WLB2 database:
Topic
Author
Date
High
PLANEX CS-QR20 Command Execution
Kenney Lu
24.08.2018

Type:

CWE-668

 (Exposure of Resource to Wrong Sphere)

CVSS2 => (AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9/10
10/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Planex -> Cs-qr20 firmware 

 References:
http://seclists.org/fulldisclosure/2018/Aug/27
Copyright 2024, cxsecurity.com

 

Back to Top