This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.GPON_CVE-2019-3920.NBINGPON ONT Home Gateway Authenticated Remote Command Execution (CVE-2019-3920)
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.971 High
EPSS
Percentile
99.8%
An issue was discovered in GPON ONT Home Gateway web administration interface. A remote command execution vulnerability exists in /GponForm/device_Form?script/ component due to insufficient input validation. An authenticated, remote attacker can exploit this to escalate their permissions level and execute arbitrary commands with root privileges.
Note that Nessus has authenticated to GPON Home Gateway web interface by using supplied credentials or utilized an authentication bypass (CVE-2018-10561) issue in order to exploit this vulnerability.
Binary data gpon_cve-2019-3920.nbin| Vendor | Product | Version | CPE |
|---|---|---|---|
| dasannetworks | gpon_router | cpe:/a:dasannetworks:gpon_router |
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.971 High
EPSS
Percentile
99.8%