In MobaXterm 11.1, the mobaxterm: URI handler has an argument injection vulnerability that allows remote attackers to execute arbitrary commands when the user visits a specially crafted URL. Based on the available command-line arguments of the software, one can simply inject -exec to execute arbitrary commands. The additional arguments -hideterm and -exitwhendone in the payload make the attack less visible.
References
Link | Resource |
---|---|
https://www.vulnerability-lab.com/get_content.php?id=2186 | Exploit Third Party Advisory |
Configurations
History
No history.
Information
Published : 2019-07-09 22:15
Updated : 2024-02-04 20:20
NVD link : CVE-2019-13475
Mitre link : CVE-2019-13475
CVE.ORG link : CVE-2019-13475
JSON object : View
Products Affected
mobatek
- mobaxterm
CWE
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')