Vulnerabilities > CVE-2020-16152 - Inclusion of Functionality from Untrusted Control Sphere vulnerability in Extremenetworks Aerohive Netconfig 10.0R8A

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

extremenetworks

CWE-829

critical

NVD

Published: 2021-11-14

Updated: 2021-11-18

Summary

The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file.

Vulnerable Configurations

Part	Description	Count
Hardware	Extremenetworks Extremenetworks Aerohive Netconfig 10.0R8A Extremenetworks Aerohive Netconfig *	3

Common Weakness Enumeration (CWE)

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

References

http://packetstormsecurity.com/files/164957/Aerohive-NetConfig-10.0r8a-Local-File-Inclusion-Remote-Code-Execution.html
https://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2020-001