Argument Injection Vulnerability in MobaXterm by Mobatek
CVE-2019-13475

8.8HIGH

Key Information:

Vendor: Mobatek
Status: Mobaxterm
Vendor: CVE Published:; 9 July 2019

What is CVE-2019-13475?

In MobaXterm version 11.1, a weakness exists within the URI handler that permits remote attackers to inject arguments, specifically allowing the execution of arbitrary commands. This vulnerability is exploitable when a user interacts with a manipulated mobaxterm URI. Attackers can pass crafted arguments, including -exec, which enable command execution without proper visibility. The incorporation of additional flags such as -hideterm and -exitwhendone further obfuscates the attack, making detection more challenging for users.

References

https://www.vulnerability-lab.com/get_content.php?id=2186

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 9, 2019
Vulnerability Reserved
Jul 9, 2019