9.8

CVE-2018-11229

Crestron TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW-560-NC devices before 2.001.0037.001 allow unauthenticated remote code execution via command injection in Crestron Toolbox Protocol (CTP).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CrestronCrestron Toolbox Protocol Firmware Version < 2.001.0037.001
   CrestronDmc-str Version-
   CrestronTsw-1060 Version-
   CrestronTsw-1060-nc Version-
   CrestronTsw-560 Version-
   CrestronTsw-560-nc Version-
   CrestronTsw-760 Version-
   CrestronTsw-760-nc Version-
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 5.71% 0.92
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

http://www.securityfocus.com/bid/105051
Third Party Advisory
VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-18-221-01
Third Party Advisory
US Government Resource
https://support.crestron.com/app/answers/answer_view/a_id/5471/~/the-latest-details-from-crestron-on-security-and-safety-on-the-internet
Vendor Advisory