10

CVE-2020-16152

Exploit

EPSS 84.9%
Veröffentlicht 14.11.2021 21:15:07
Zuletzt bearbeitet 21.11.2024 05:06:51
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Extremenetworks ≫ Aerohive Netconfig Version < 10.0r8a

Extremenetworks ≫ Aerohive Netconfig Version10.0r8a Update-

Extremenetworks ≫ Aerohive Netconfig Version10.0r8a Updatebuild242466

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	84.9%	0.993

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

http://packetstormsecurity.com/files/164957/Aerohive-NetConfig-10.0r8a-Local-File-Inclusion-Remote-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2020-001

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-16152

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-16152

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-16152

EUVD