CVE-2019-7383

An issue was discovered on Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W devices with firmware V1.1-R2.1_TRUNK-20181105.bin. A shell command injection occurs by editing the description of an ISP file. The file network/isp/isp_update_edit.php does not properly validate user input, which leads to shell command injection via the des parameter.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
VendorProductVersion
systromecumilon_isg-600c_firmware
1.1-r2.1
systromecumilon_isg-600h_firmware
1.1-r2.1
systromecumilon_isg-800w_firmware
1.1-r2.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/151648/SYSTORME-ISG-Command-Injection.html
http://seclists.org/fulldisclosure/2019/Feb/32
http://www.securityfocus.com/bid/107035
https://s3curityb3ast.github.io/KSA-Dev-003.md
https://www.breakthesec.com/2019/02/cve-2019-7383-remote-code-execution-via.html
http://packetstormsecurity.com/files/151648/SYSTORME-ISG-Command-Injection.html
http://seclists.org/fulldisclosure/2019/Feb/32
http://www.securityfocus.com/bid/107035
https://s3curityb3ast.github.io/KSA-Dev-003.md
https://www.breakthesec.com/2019/02/cve-2019-7383-remote-code-execution-via.html