CVE-2024-13502
CVE-2024-13502
9.3
CriticalPublished:
Last updated:
Source:vulnerability@ncsc.ch
Deferred
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Adjacent
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- High
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- High
- Confidentiality (Subsequent)
- High
- Integrity (Subsequent)
- High
- Availability (Subsequent)
- High
Description
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Newtec/iDirect NTC2218, NTC2250, NTC2299 on Linux, PowerPC, ARM allows Local Code Inclusion.This issue affects NTC2218, NTC2250, NTC2299: from 1.0.1.1 through 2.2.6.19. The `commit_multicast` page used to configure multicasts in the modem's web administration interface uses improperly parses incoming data from the request before passing it to an `eval` statement in a bash script. This allows attackers to inject arbitrary shell commands.
References
vulnerability@ncsc.ch
https://doi.org/10.1145/3643833.3656139vulnerability@ncsc.ch
https://www.youtube.com/watch?v=-pxmly8xeas