CVE-2022-33204
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
60.2%
Four OS command injection vulnerabilities exists in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.This vulnerability focuses on the unsafe use of the ssid_hex HTTP parameter to construct an OS Command at offset 0x19afc0 of the /root/hpgw binary included in firmware 6.9Z.
Affected configurations
CNA Affected
[
{
"vendor": "abode systems, inc.",
"product": "iota All-In-One Security Kit",
"versions": [
{
"version": "6.9X",
"status": "affected"
},
{
"version": "6.9Z",
"status": "affected"
}
]
}
]Social References
More
Related
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
60.2%