CVE-2021-45876

Published: Mar 21, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Multiple versions of GARO Wallbox GLB/GTB/GTC are affected by unauthenticated command injection. The url parameter of the function module downloadAndUpdate is vulnerable to an command Injection. Unfiltered user input is used to generate code which then gets executed when downloading new firmware.

Affected (3)

Products: Garo: Wallbox Gtb Firmware, Wallbox Gtc Firmware, Wallbox Glb Firmware

3 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Garo Wallbox Gtb Firmware	Up to 185

Running on/with	Platform Versions
Garo Wallbox Gtb	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Garo Wallbox Gtc Firmware	Up to 185

Running on/with	Platform Versions
Garo Wallbox Gtc	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Garo Wallbox Glb Firmware	Up to 185

Running on/with	Platform Versions
Garo Wallbox Glb	All versions

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (2)

https://github.com/delikely/advisory/tree/main/GARO

Source: cve@mitre.org

Third Party Advisory

https://github.com/delikely/advisory/tree/main/GARO

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.