Command Injection Vulnerability in Moxa AWK-3121 by Moxa
CVE-2018-10697

8.8HIGH

Key Information:

Vendor
Moxa
Status
Awk-3121 Firmware
Vendor
CVE Published:
7 June 2019

Summary

An issue was found in the Moxa AWK-3121 devices running version 1.14 that exposes the system to a command injection vulnerability. This arises from the device's implemented ping functionality, which mistakenly allows remote attackers to exploit the POST parameter 'srvName' by injecting shell metacharacters into crafted packets. Such an attack can lead to unauthorized command execution on the device, compromising its integrity and exposing the network it controls to potential threats.

References

https://github.com/samuelhuntley/Moxa_AWK_1121/blob/maste...
x_refsource_MISC
https://seclists.org/bugtraq/2019/Jun/8
mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/153223/Moxa-AWK-3121...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.