Vulnerability Description
An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x devices. network/mesh/edit-nds.php is vulnerable to arbitrary file upload, allowing an attacker to upload .php files and execute code on the server with root user privileges. Authentication for accessing this component can be bypassed by using Hard coded credentials.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Indionetworks | Unibox Firmware | - |
| Indionetworks | Unibox | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/151077/Wifi-soft-Unibox-2.x-Remote-Command-ExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2019/Jan/23ExploitMailing ListThird Party Advisory
- https://sahildhar.github.io/blogpost/Multiple-RCE-Vulnerabilties-in-Unibox-ContrExploitThird Party Advisory
- http://packetstormsecurity.com/files/151077/Wifi-soft-Unibox-2.x-Remote-Command-ExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2019/Jan/23ExploitMailing ListThird Party Advisory
- https://sahildhar.github.io/blogpost/Multiple-RCE-Vulnerabilties-in-Unibox-ContrExploitThird Party Advisory
FAQ
What is CVE-2019-3495?
CVE-2019-3495 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x devices. network/mesh/edit-nds.php is vulnerable to arbitrary file upload, allowing an attacker to upload .php files and execute ...
How severe is CVE-2019-3495?
CVE-2019-3495 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-3495?
Check the references section above for vendor advisories and patch information. Affected products include: Indionetworks Unibox Firmware, Indionetworks Unibox.