CVE-2014-5502

Published: Oct 7, 2014Modified: May 6, 2026

9.0

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability: 8.0 / Impact: 10.0

Source: NVD

Description

The Sophos Cyberoam appliances with CyberoamOS before 10.6.1 GA allows remote authenticated users to inject arbitrary commands via a (1) checkcert_key, (2) webclient_portal_settings, (3) sslvpn_liveuser_delete, or (4) ccc_flush_sql_file opcode.

Affected (2)

Products: Cyberoam: Cyberoam Os

Cyberoam

1 product

Cyberoam Os

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Cyberoam Cyberoam Os	Up to 10.4
Cyberoam Cyberoam Os	Up to 10.6.1

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (10)

http://kb.cyberoam.com/default.asp?id=3049

Source: cve@mitre.org

Vendor Advisory

http://www.zerodayinitiative.com/advisories/ZDI-14-328/

Source: cve@mitre.org

http://www.zerodayinitiative.com/advisories/ZDI-14-331/

Source: cve@mitre.org

http://www.zerodayinitiative.com/advisories/ZDI-14-332/

Source: cve@mitre.org

http://www.zerodayinitiative.com/advisories/ZDI-14-333/

Source: cve@mitre.org

http://kb.cyberoam.com/default.asp?id=3049