CVE-2019-16305

In MobaXterm 11.1 and 12.1, the protocol handler is vulnerable to command injection. A crafted link can trigger a popup asking whether the user wants to run MobaXterm to handle the link. If accepted, another popup appears asking for further confirmation. If this is also accepted, command execution is achieved, as demonstrated by the MobaXterm://`calc` URI.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 64%
VendorProductVersion
mobatekmobaxterm
11.1
mobatekmobaxterm
12.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://freetom.github.io/0day/2019/09/14/MobaXterm-command-exec-in-protocol-handler.html
https://freetom.github.io/0day/2019/09/14/MobaXterm-command-exec-in-protocol-handler.html