CVE-2021-39279

🗓️ 07 Sep 2021 05:40:14Reported by mitreType

cve🔗 web.nvd.nist.gov👁 95 Views🌐 WEB

Certain MOXA devices Authenticated Command Injection via /forms/web_importTFTP. Affected models: WAC-2004 1.7, WAC-1001 2.1, WDR-3124A-US-T 2.3

Reporter	Title	Published	Views	Family All 11
0day.today	Moxa Command Injection / Cross Site Scripting Vulnerabilities	1 Sep 202100:00	–	zdt
Circl	CVE-2021-39279	21 Sep 202104:41	–	circl
CNNVD	Moxa 多款产品操作系统命令注入漏洞	1 Sep 202100:00	–	cnnvd
Check Point Advisories	Moxa Multiple Products Command Injection (CVE-2021-39279)	29 Sep 202100:00	–	checkpoint_advisories
Cvelist	CVE-2021-39279	7 Sep 202105:40	–	cvelist
EUVD	EUVD-2021-25641	7 Oct 202500:30	–	euvd
NVD	CVE-2021-39279	7 Sep 202106:15	–	nvd
OSV	CVE-2021-39279	7 Sep 202106:15	–	osv
Packet Storm	Moxa Command Injection / Cross Site Scripting / Vulnerable Software	1 Sep 202100:00	–	packetstorm
Prion	Command injection	7 Sep 202106:15	–	prion

NVD

Node

moxa wac-2004_firmwareMatch1.7

AND

moxa wac-2004Match-

Node

moxa wac-1001_firmwareMatch2.1

AND

moxa wac-1001Match-

Node

moxa wac-1001-t_firmwareMatch2.1

AND

moxa wac-1001-tMatch-

Node

moxa oncell_g3470a-lte-eu_firmwareMatch1.7

AND

moxa oncell_g3470a-lte-euMatch-

Node

moxa oncell_g3470a-lte-eu-t_firmwareMatch1.7

AND

moxa oncell_g3470a-lte-eu-tMatch-

Node

moxa tap-323-eu-ct-t_firmwareMatch1.3

AND

moxa tap-323-eu-ct-tMatch-

Node

moxa tap-323-us-ct-t_firmwareMatch1.3

AND

moxa tap-323-us-ct-tMatch-

Node

moxa tap-323-jp-ct-t_firmwareMatch1.3

AND

moxa tap-323-jp-ct-tMatch-

Node

moxa wdr-3124a-eu_firmwareMatch2.3

AND

moxa wdr-3124a-euMatch-

Node

moxa wdr-3124a-eu-t_firmwareMatch2.3

AND

moxa wdr-3124a-eu-tMatch-

Node

moxa wdr-3124a-us_firmwareMatch2.3

AND

moxa wdr-3124a-usMatch-

Node

moxa wdr-3124a-us-t_firmwareMatch2.3

AND

moxa wdr-3124a-us-tMatch-

Source	Link
moxa	www.moxa.com/
packetstormsecurity	www.packetstormsecurity.com/files/164014

Parameter	Position	Path	Description	CWE
servIP	query param	forms/web_importTFTP	Authenticated command injection via GET to /forms/web_importTFTP with crafted query to execute payload	CWE-78
configPath	query param	forms/web_importTFTP	Authenticated command injection via GET to /forms/web_importTFTP with crafted query to execute payload	CWE-78
fileName	query param	forms/web_importTFTP	Authenticated command injection via GET to /forms/web_importTFTP with crafted query to execute payload	CWE-78

21 Nov 2024 06:19Current

8.7High risk

Vulners AI Score8.7

CVSS 3.18.8

CVSS 29

EPSS0.05887

CWE-78