A vulnerability classified as critical has been found in Glory RBW-100 ISP-K05-02 7.0.0. Affected is an unknown code of the file glytoolcgi/settingfile_upload.cgi of the component File Upload. The manipulation with an unknown input leads to a unrestricted upload vulnerability. CWE is classifying the issue as CWE-434. The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

An issue was discovered on Glory RBW-100 devices with firmware ISP-K05-02 7.0.0. An unrestricted file upload vulnerability in the Front Circle Controller glytoolcgi/settingfile_upload.cgi allows attackers to upload supplied data. This can be used to place attacker controlled code on the filesystem that can be executed and can lead to a reverse root shell.

The bug was discovered 04/05/2019. The weakness was shared 04/05/2019. This vulnerability is traded as CVE-2019-10478 since 03/29/2019. The exploitability is told to be easy. It is possible to launch the attack remotely. A authentication is needed for exploitation. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1608.002 by the MITRE ATT&CK project.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The entry 133075 is related to this item.

Productinfo

Vendor

• Glory

Name

• RBW-100

Version

• ISP-K05-02 7.0.0

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion