CVE-2024-7442

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Vivotek SD9364 VVTK-0103f. It has been rated as critical. This issue affects the function getenv of the file upload_file.cgi. The manipulation of the argument QUERY_STRING leads to command injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-273527. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the affected release tree is end-of-life.
References
Link Resource
https://vuldb.com/?ctiid.273527 Permissions Required Third Party Advisory VDB Entry
https://vuldb.com/?id.273527 Permissions Required Third Party Advisory VDB Entry
https://vuldb.com/?submit.383843 Third Party Advisory VDB Entry
https://yjz233.notion.site/vivotek-SD9364-has-command-injection-vulnerability-in-upload_file-cgi-5cef6da27b25479497dda0b73670f565?pvs=4 Permissions Required
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:vivotek:sd9364_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:vivotek:sd9364:-:*:*:*:*:*:*:*

History

06 Aug 2024, 17:45

Type Values Removed Values Added
CVSS v2 : 6.5
v3 : 6.3
v2 : 6.5
v3 : 9.8
First Time Vivotek sd9364
Vivotek sd9364 Firmware
Vivotek
References () https://vuldb.com/?ctiid.273527 - () https://vuldb.com/?ctiid.273527 - Permissions Required, Third Party Advisory, VDB Entry
References () https://vuldb.com/?id.273527 - () https://vuldb.com/?id.273527 - Permissions Required, Third Party Advisory, VDB Entry
References () https://vuldb.com/?submit.383843 - () https://vuldb.com/?submit.383843 - Third Party Advisory, VDB Entry
References () https://yjz233.notion.site/vivotek-SD9364-has-command-injection-vulnerability-in-upload_file-cgi-5cef6da27b25479497dda0b73670f565?pvs=4 - () https://yjz233.notion.site/vivotek-SD9364-has-command-injection-vulnerability-in-upload_file-cgi-5cef6da27b25479497dda0b73670f565?pvs=4 - Permissions Required
CPE cpe:2.3:o:vivotek:sd9364_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:vivotek:sd9364:-:*:*:*:*:*:*:*

05 Aug 2024, 12:41

Type Values Removed Values Added
Summary
  • (es) ** NO SOPORTADO CUANDO SE ASIGNÓ ** Se encontró una vulnerabilidad en Vivotek SD9364 VVTK-0103f. Ha sido calificada como crítica. Este problema afecta la función getenv del archivo upload_file.cgi. La manipulación del argumento QUERY_STRING conduce a la inyección de comando. El ataque puede iniciarse de forma remota. El identificador asociado de esta vulnerabilidad es VDB-273527. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contactó primeramente con el proveedor y se confirmó que el árbol de lanzamiento afectado ha llegado al final de su vida útil.

03 Aug 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-03 18:15

Updated : 2024-08-06 17:45


NVD link : CVE-2024-7442

Mitre link : CVE-2024-7442

CVE.ORG link : CVE-2024-7442


JSON object : View

Products Affected

vivotek

  • sd9364
  • sd9364_firmware
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')