| Titolo | vivotek SD9364 VVTK-0103f command injection |
|---|
| Descrizione | vivotek SD9364 has command injection vulnerability in upload_file.cgi. The program receives the attacker's GET request through the getenv function at line 59, obtains the value of the first field through the code at line 67, and concatenates it into a formatted string using the snprintf function. Finally, the systemfunction is used to execute the system command. Because the attacker's input is not filtered, any command can be executed. |
|---|
| Fonte | ⚠️ https://yjz233.notion.site/vivotek-SD9364-has-command-injection-vulnerability-in-upload_file-cgi-5cef6da27b25479497dda0b73670f565?pvs=4 |
|---|
| Utente | jylsec (UID 60282) |
|---|
| Sottomissione | 31/07/2024 15:34 (2 anni fa) |
|---|
| Moderazione | 02/08/2024 23:36 (2 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 273527 [Vivotek SD9364 VVTK-0103f upload_file.cgi getenv QUERY_STRING escalationi di privilegi] |
|---|
| Punti | 17 |
|---|