CVE-2010-5330

Warnung

EPSS 44.01%
Veröffentlicht 11.06.2019 21:29:00
Zuletzt bearbeitet 05.11.2025 19:25:30
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

On certain Ubiquiti devices, Command Injection exists via a GET request to stainfo.cgi (aka Show AP info) because the ifname variable is not sanitized, as demonstrated by shell metacharacters. The fixed version is v4.0.1 for 802.11 ISP products, v5.3.5 for AirMax ISP products, and v5.4.5 for AirSync firmware. For example, Nanostation5 (Air OS) is affected.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ui ≫ Airos Version < 4.0.1

Ui ≫ Airos Version >= 4.0.2 < 5.3.5

Ui ≫ Airos Version >= 5.3.6 < 5.4.5

15.04.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Ubiquiti AirOS Command Injection Vulnerability

Schwachstelle

Certain Ubiquiti devices contain a command injection vulnerability via a GET request to stainfo.cgi.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	44.01%	0.974

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://community.ubnt.com/t5/airMAX-General-Discussion/AirOS-Security-Exploit-Updated-Firmware/td-p/212974

Patch

Vendor Advisory

Issue Tracking

https://www.exploit-db.com/exploits/14146

Third Party Advisory

VDB Entry

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-5330

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2010-5330

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2010-5330

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2010-5330

EUVD