CVE-2015-2279

Published: Jul 25, 2017Modified: May 13, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with firmware 1.43, and MD-3025 with firmware 1.81 allows remote attackers to execute arbitrary OS commands via shell metacharacters after an "&" (ampersand) in the write_mac write_pid, write_msn, write_tan, or write_hdv parameter.

Affected (3)

Products: Airlive: Bu 2015 Firmware, Bu 3026 Firmware, Md 3025 Firmware

3 products

Bu 2015 Firmware

Bu 3026 Firmware

Md 3025 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Airlive Bu 2015 Firmware	Version 1.03.18

Running on/with	Platform Versions
Airlive Bu 2015	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Airlive Bu 3026 Firmware	Version 1.43

Running on/with	Platform Versions
Airlive Bu 3026	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Airlive Md 3025 Firmware	Version 1.81

Running on/with	Platform Versions
Airlive Md 3025	All versions

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (12)

http://packetstormsecurity.com/files/132585/AirLive-Remote-Command-Injection.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2015/Jul/29

Source: cve@mitre.org

ExploitMailing ListThird Party AdvisoryVDB Entry

http://www.securityfocus.com/archive/1/535938/100/0/threaded

Source: cve@mitre.org

http://www.securityfocus.com/bid/75559

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injection

Source: cve@mitre.org

ExploitTechnical DescriptionThird Party Advisory

https://www.exploit-db.com/exploits/37532/

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/132585/AirLive-Remote-Command-Injection.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2015/Jul/29

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMailing ListThird Party AdvisoryVDB Entry

http://www.securityfocus.com/archive/1/535938/100/0/threaded

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/75559

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injection

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitTechnical DescriptionThird Party Advisory

https://www.exploit-db.com/exploits/37532/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

Timeline

No history available yet.