10

CVE-2018-11228

Crestron TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW-560-NC devices before 2.001.0037.001 allow unauthenticated remote code execution via a Bash shell service in Crestron Toolbox Protocol (CTP).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CrestronCrestron Toolbox Protocol Firmware Version < 2.001.0037.001
   CrestronDmc-str Version-
   CrestronTsw-1060 Version-
   CrestronTsw-1060-nc Version-
   CrestronTsw-560 Version-
   CrestronTsw-560-nc Version-
   CrestronTsw-760 Version-
   CrestronTsw-760-nc Version-
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 7.58% 0.938
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 10 10 10
AV:N/AC:L/Au:N/C:C/I:C/A:C
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

http://www.securityfocus.com/bid/105051
Third Party Advisory
VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-18-221-01
Third Party Advisory
US Government Resource
https://support.crestron.com/app/answers/answer_view/a_id/5471/~/the-latest-details-from-crestron-on-security-and-safety-on-the-internet
Vendor Advisory