Command Injection Vulnerability in TRENDnet TV-IP1314PI Devices
CVE-2023-49237

9.8CRITICAL

Key Information:

Vendor: TRENDnet
Status: Tv-ip1314pi Firmware
Vendor: CVE Published:; 9 January 2024

What is CVE-2023-49237?

A command injection vulnerability has been identified in the TRENDnet TV-IP1314PI 5.5.3 200714 devices. This issue arises from the usage of the system function by the davinci component to unpack language packs without adequate filtering of URL strings. Malicious actors can exploit this flaw to execute arbitrary commands, which may lead to unauthorized access and potential manipulation of device functionality. Proper input validation and secure coding practices are crucial to mitigating this threat.

References

https://drive.google.com/file/d/1lTloBkH_7zAz1ZbFVSZnfpoP...

https://github.com/pcsle37/TRENDnet/blob/main/TRENDnet_vu...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 9, 2024
Vulnerability Reserved
Nov 24, 2023