| Title | vivotek CC8160 VVTK-0100d command injection |
|---|
| Description | vivotek CC8160 has command injection vulnerability in upload_file.cgi via GET request.The program receives the attacker's GET request through the getenv function at line 61, obtains the value of the first field through the code at line 69, and concatenates it into a formatted string using the snprintf function. Finally, the systemfunction is used to execute the system command. Because the attacker's input is not filtered, any command can be executed. |
|---|
| Source | ⚠️ https://yjz233.notion.site/0213043a8c7e498a9e73a0b6f0fa9f29?pvs=4 |
|---|
| User | jylsec (UID 60282) |
|---|
| Submission | 07/31/2024 15:28 (2 years ago) |
|---|
| Moderation | 08/02/2024 23:36 (2 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 273525 [Vivotek CC8160 VVTK-0100d upload_file.cgi getenv QUERY_STRING command injection] |
|---|
| Points | 17 |
|---|