Vulnerabilities > CVE-2017-12576 - Exposure of Resource to Wrong Sphere vulnerability in Planex Cs-Qr20 Firmware 1.30

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

planex

CWE-668

critical

NVD

Published: 2018-08-24

Updated: 2019-10-03

Summary

An issue was discovered on the PLANEX CS-QR20 1.30. A hidden and undocumented management page allows an attacker to execute arbitrary code on the device when the user is authenticated. The management page was used for debugging purposes, once you login and access the page directly (/admin/system_command.asp), you can execute any command.

Vulnerable Configurations

Part	Description	Count
OS	Planex Planex CS Qr20 Firmware 1.30	1
Hardware	Planex Planex CS Qr20 -	1

Common Weakness Enumeration (CWE)

CWE-668 - Exposure of Resource to Wrong Sphere

Packetstorm

data source	https://packetstormsecurity.com/files/download/149062/planex-exec.txt
id	PACKETSTORM:149062
last seen	2018-08-25
published	2018-08-23
reporter	Kenney Lu
source	https://packetstormsecurity.com/files/149062/PLANEX-CS-QR20-Command-Execution.html
title	PLANEX CS-QR20 Command Execution

References

http://seclists.org/fulldisclosure/2018/Aug/27