Bitdefender BOX 2 Operating System Command Injection Vulnerability

Bitdefender BOX is a smart home security control device from the Romanian company Bitdefender. An operating system command injection vulnerability exists in Bitdefender BOX 2. The vulnerability arises from the failure of a network system or product to properly filter special characters, commands,...

CVE-2019-17095

A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method /api/downloadimage unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In ord...

CVE-2019-17096

A OS Command Injection vulnerability in the bootstrap stage of Bitdefender BOX 2 allows the manipulation of the getimageurl function in special circumstances to inject a system command...

CVE-2019-17102

An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method /api/updatesetup does not perform firmware signature checks atomically, leading to an exploitable race condition TOCTTOU that allows arbitrary execution of system...