CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
52.7%
An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the system
call in the file /web/MANGA/cgi-bin/api.cgi
for firmware version 6.3.5 at offset 0x4bddb8.
Vendor | Product | Version | CPE |
---|---|---|---|
peplink | surf_soho_firmware | 6.3.5 | cpe:2.3:o:peplink:surf_soho_firmware:6.3.5:*:*:*:*:*:*:* |
peplink | surf_soho | hw1 | cpe:2.3:h:peplink:surf_soho:hw1:*:*:*:*:*:*:* |
[
{
"vendor": "Peplink",
"product": "Surf SOHO HW1",
"versions": [
{
"version": "v6.3.5 (in QEMU)",
"status": "affected"
}
]
}
]