CVE-2014-8389

Published: Dec 28, 2017Modified: May 13, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware LM.1.6.17.01 uses hard-coded credentials in the embedded Boa web server, which allows remote attackers to obtain user credentials via crafted HTTP requests.

Affected (5)

Products: Airlive: Bu 3026 Firmware, Md 3025 Firmware, Wl 2000cam Firmware, Poe 200cam V2 Firmware, Bu 2015 Firmware

5 products

Poe 200cam V2 Firmware

Bu 2015 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Airlive Bu 3026 Firmware	Version 1.43_21.08.2014

Running on/with	Platform Versions
Airlive Bu 3026	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Airlive Md 3025 Firmware	Version 1.81_21.08.2014

Running on/with	Platform Versions
Airlive Md 3025	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Airlive Wl 2000cam Firmware	Version lm.1.6.18_14.10.2011

Running on/with	Platform Versions
Airlive Wl 2000cam	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Airlive Poe 200cam V2 Firmware	Version lm.1.6.17.01

Running on/with	Platform Versions
Airlive Poe 200cam V2	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Airlive Bu 2015 Firmware	Version 1.03.18_16.06.2014

Running on/with	Platform Versions
Airlive Bu 2015	All versions

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (10)

http://packetstormsecurity.com/files/132585/AirLive-Remote-Command-Injection.html

Source: cve@mitre.org

ExploitMitigationThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2015/Jul/29

Source: cve@mitre.org

ExploitMailing ListMitigationThird Party Advisory

http://www.securityfocus.com/archive/1/535938/100/0/threaded

Source: cve@mitre.org

http://www.securityfocus.com/bid/75559

Source: cve@mitre.org

ExploitMitigationThird Party AdvisoryVDB Entry

https://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injection

Source: cve@mitre.org

ExploitMitigationTechnical DescriptionThird Party Advisory

http://packetstormsecurity.com/files/132585/AirLive-Remote-Command-Injection.html