Arbitrary file write via authenticated OSDP file upload

An authenticated attacker can upload a file with a filename including “..” and “/” to achieve the ability to upload the desired file anywhere on the filesystem. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.271. This allows a malicious actor to overwrite sensitive system files and install a startup service to gain remote access to the underlaying Linux operating system with root privileges.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

对路径名的限制不恰当(路径遍历)

Carrier LenelS2 HID Mercury access panels 路径遍历漏洞

Carrier LenelS2 HID Mercury access panels是美国Carrier公司的一个控制器面板。 Carrier LenelS2 HID Mercury access panels 存在路径遍历漏洞，该漏洞源于处理目录遍历序列时存在输入验证错误问题。具有管理员权限的远程攻击者可以发送特制的 HTTP 请求，可以将任意文件上传到系统的任意位置。

N/A

N/A