| Title | vivotek SD9364 VVTK-0103f command injection |
|---|
| Description | vivotek SD9364 has command injection vulnerability in upload_file.cgi. The program receives the attacker's GET request through the getenv function at line 59, obtains the value of the first field through the code at line 67, and concatenates it into a formatted string using the snprintf function. Finally, the systemfunction is used to execute the system command. Because the attacker's input is not filtered, any command can be executed. |
|---|
| Source | ⚠️ https://yjz233.notion.site/vivotek-SD9364-has-command-injection-vulnerability-in-upload_file-cgi-5cef6da27b25479497dda0b73670f565?pvs=4 |
|---|
| User | jylsec (UID 60282) |
|---|
| Submission | 07/31/2024 15:34 (2 years ago) |
|---|
| Moderation | 08/02/2024 23:36 (2 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 273527 [Vivotek SD9364 VVTK-0103f upload_file.cgi getenv QUERY_STRING command injection] |
|---|
| Points | 17 |
|---|