CVE-2020-16152

Published: Nov 14, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file.

Affected (3)

Products: Extremenetworks: Aerohive Netconfig

Extremenetworks

1 product

Aerohive Netconfig

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Extremenetworks Aerohive Netconfig	Before 10.0r8a
Extremenetworks Aerohive Netconfig	Version 10.0r8a
Extremenetworks Aerohive Netconfig	Version 10.0r8a build242466

Related CWEs

Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References (4)

http://packetstormsecurity.com/files/164957/Aerohive-NetConfig-10.0r8a-Local-File-Inclusion-Remote-Code-Execution.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2020-001

Source: cve@mitre.org

Vendor Advisory

http://packetstormsecurity.com/files/164957/Aerohive-NetConfig-10.0r8a-Local-File-Inclusion-Remote-Code-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2020-001

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.