Vulnerability Description
Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Topsecgroup | Tianxin Internet Behavior Management System | < 4.0.0.7_20210716.180815 |
Related Weaknesses (CWE)
References
- https://avd.aliyun.com/detail?id=AVD-2021-890232Third Party Advisory
- https://cn-sec.com/archives/4631959.htmlExploitThird Party Advisory
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972Third Party Advisory
- https://www.cnvd.org.cn/patchInfo/show/280166Patch
- https://www.vulncheck.com/advisories/tianxin-internet-behavior-management-systemThird Party AdvisoryVDB Entry
FAQ
What is CVE-2021-4473?
CVE-2021-4473 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplyi...
How severe is CVE-2021-4473?
CVE-2021-4473 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-4473?
Check the references section above for vendor advisories and patch information. Affected products include: Topsecgroup Tianxin Internet Behavior Management System.