Vulnerability Description
An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x devices. The tools/ping Ping feature of the Diagnostic Tools component is vulnerable to Remote Command Execution, allowing an attacker to execute arbitrary system commands on the server with root user privileges. Authentication for accessing this component can be bypassed by using Hard coded credentials.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Indionetworks | Unibox Firmware | - |
| Indionetworks | Unibox | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/151077/Wifi-soft-Unibox-2.x-Remote-Command-ExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2019/Jan/23ExploitMailing ListThird Party Advisory
- https://sahildhar.github.io/blogpost/Multiple-RCE-Vulnerabilties-in-Unibox-ContrExploitThird Party Advisory
- http://packetstormsecurity.com/files/151077/Wifi-soft-Unibox-2.x-Remote-Command-ExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2019/Jan/23ExploitMailing ListThird Party Advisory
- https://sahildhar.github.io/blogpost/Multiple-RCE-Vulnerabilties-in-Unibox-ContrExploitThird Party Advisory
FAQ
What is CVE-2019-3497?
CVE-2019-3497 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered on Wifi-soft UniBox controller 0.x through 2.x devices. The tools/ping Ping feature of the Diagnostic Tools component is vulnerable to Remote Command Execution, allowing an att...
How severe is CVE-2019-3497?
CVE-2019-3497 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-3497?
Check the references section above for vendor advisories and patch information. Affected products include: Indionetworks Unibox Firmware, Indionetworks Unibox.