Code injection

2023-04-2821:15:00

PRIOn knowledge base

www.prio-n.com

code injection

xcc

user roles

trespass

cli

ssh

read-only permissions

6.5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.7%

JSON

A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions.

CPENameOperatorVersion
thinkagile_hx1021_firmwareeq< 3.72-tei388s
thinkagile_hx1320_firmwareeq< 8.88-cdi3a4a
thinkagile_hx1321_firmwareeq< 8.88-cdi3a4a
thinkagile_hx1331_firmwareeq< 2.93-afbt30p
thinkagile_hx1520-r_firmwareeq< 8.88-cdi3a4a
thinkagile_hx1521-r_firmwareeq< 8.88-cdi3a4a
thinkagile_hx2320-e_firmwareeq< 8.88-cdi3a4a
thinkagile_hx2321_firmwareeq< 8.88-cdi3a4a
thinkagile_hx2330_firmwareeq< 2.93-afbt30p
thinkagile_hx2330_firmwareeq2.93.0-afbt30-p

Name	Operator	Version
thinkagile_hx1021_firmware	eq	< 3.72-tei388s
thinkagile_hx1320_firmware	eq	< 8.88-cdi3a4a
thinkagile_hx1321_firmware	eq	< 8.88-cdi3a4a
thinkagile_hx1331_firmware	eq	< 2.93-afbt30p
thinkagile_hx1520-r_firmware	eq	< 8.88-cdi3a4a
thinkagile_hx1521-r_firmware	eq	< 8.88-cdi3a4a
thinkagile_hx2320-e_firmware	eq	< 8.88-cdi3a4a
thinkagile_hx2321_firmware	eq	< 8.88-cdi3a4a
thinkagile_hx2330_firmware	eq	< 2.93-afbt30p
thinkagile_hx2330_firmware	eq	2.93.0-afbt30-p