Alien Technology ALR-F800 File Name upgrade.cgi popen os command injection

A vulnerability was found in Alien Technology ALR-F800 up to 19.10.24.00. It has been declared as critical. Affected by this vulnerability is the function popen of the file /var/www/cgi-bin/upgrade.cgi of the component File Name Handler. The manipulation of the argument uploadedFile leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Alien ALR-F800 操作系统命令注入漏洞

Alien ALR-F800是Alien公司的一款RFID传感器。 Alien ALR-F800 19.10.24.00 版本及之前版本存在操作系统命令注入漏洞，该漏洞源于 /var/www/cgi-bin/upgrade.cgi 文件的 File Name Handler 组件中的 uploadedFile 参数包含一个操作系统命令注入漏洞。

N/A

N/A