Lucene search

TalosCVELIST:CVE-2022-33207

HistoryOct 20, 2022 - 12:00 a.m.

CVE-2022-33207

2022-10-2000:00:00

CWE-78

talos

www.cve.org

command injection

abode systems

arbitrary command execution

http request

firmware 6.9z

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.3%

JSON

Four OS command injection vulnerabilities exists in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability focuses on a second unsafe use of the default_key_id HTTP parameter to construct an OS Command at offset 0x19B234 of the /root/hpgw binary included in firmware 6.9Z.

CNA Affected

[
  {
    "vendor": "abode systems, inc.",
    "product": "iota All-In-One Security Kit",
    "versions": [
      {
        "version": "6.9X",
        "status": "affected"
      },
      {
        "version": "6.9Z",
        "status": "affected"
      }
    ]
  }
]

References

talosintelligence.com/vulnerability_reports/TALOS-2022-1568

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.3%

JSON

Related for CVELIST:CVE-2022-33207