CVE-2019-13475

In MobaXterm 11.1, the mobaxterm: URI handler has an argument injection vulnerability that allows remote attackers to execute arbitrary commands when the user visits a specially crafted URL. Based on the available command-line arguments of the software, one can simply inject -exec to execute arbitrary commands. The additional arguments -hideterm and -exitwhendone in the payload make the attack less visible.
References
Link Resource
https://www.vulnerability-lab.com/get_content.php?id=2186 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mobatek:mobaxterm:11.1:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-07-09 22:15

Updated : 2024-02-04 20:20


NVD link : CVE-2019-13475

Mitre link : CVE-2019-13475

CVE.ORG link : CVE-2019-13475


JSON object : View

Products Affected

mobatek

  • mobaxterm
CWE
CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')