CVE-2019-9189

Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root code execution, not as a web server user, allowing an authenticated attacker to gain full system access.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
VendorProductVersion
primasystemsflexair
𝑥
≤ 2.3.38
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/155273/Prima-Access-Control-2.3.35-Script-Upload-Remote-Code-Execution.html
https://applied-risk.com/index.php/download_file/view/199/165
https://applied-risk.com/labs/advisories
https://applied-risk.com/resources/ar-2019-007
https://www.us-cert.gov/ics/advisories/icsa-19-211-02
http://packetstormsecurity.com/files/155273/Prima-Access-Control-2.3.35-Script-Upload-Remote-Code-Execution.html
https://applied-risk.com/index.php/download_file/view/199/165
https://applied-risk.com/labs/advisories
https://applied-risk.com/resources/ar-2019-007
https://www.us-cert.gov/ics/advisories/icsa-19-211-02