CVE-2024-42025

Published: Sep 13, 2024Modified: Sep 28, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.3.32 and earlier) allows a malicious actor with unifi user shell access to escalate privileges to root on the host device.

Affected (1)

Products: Ui: Unifi Network Application

1 product

Unifi Network Application

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ui Unifi Network Application	Before 8.4.59

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (1)

https://community.ui.com/releases/Security-Advisory-Bulletin-042-042/c4f68b56-cdc4-4128-b2cb-5870209d1704

Source: support@hackerone.com

Vendor Advisory

Timeline

No history available yet.