CVE-2018-18879

Published: Jun 18, 2019Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands directly to the underlying operating system as user input is not sanitized in networkdiags.php.

Affected (1)

Products: Columbiaweather: Weather Microserver Firmware

Columbiaweather

1 product

Weather Microserver Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Columbiaweather Weather Microserver Firmware	Version ms_2.6.9900

Running on/with	Platform Versions
Columbiaweather Weather Microserver	All versions

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (4)

https://applied-risk.com/labs/advisories

Source: cve@mitre.org

Third Party Advisory

https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02

Source: cve@mitre.org

Third Party AdvisoryUS Government Resource

https://applied-risk.com/labs/advisories

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://ics-cert.us-cert.gov/advisories/ICSA-19-078-02

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.