Russian Vulnerability Scanner Database

Back to List

CVE-2022-36267

Scores

EPSS

0.702medium70.2%
0%20%40%60%80%100%

Percentile: 70.2%

CVSS

9.8critical3.x
0246810

CVSS Score: 9.8/10

All CVSS Scores

CVSS 3.x
9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.

Scaner-VS 7 — a modern vulnerability management solution

Uses this database for vulnerability detection. High-speed search, cross-platform, advanced configuration audit, and flexible filtering. Suitable for organizations of any size.
Learn more about Scaner-VS 7

Sources

nvd

Exploits

Exploit ID: 51011

Source: exploitdb

URL: https://www.exploit-db.com/exploits/51011

Exploit ID: CVE-2022-36267

Source: github-poc

URL: https://github.com/0xNslabs/CVE-2022-36267-PoC

Vulnerable Software (1)

Type: Configuration

Vendor: *

Product: airspot_5410_firmware

Operating System: * * *

Trait: 
{  "children": [    {      "cpe_match": [        {          "cpe23uri": "cpe:2.3:o:airspan:airspot_5410_firmware:*:*:*:*:*:*:*:*",          "versionEndIncluding": "0.3.4.1-4",          "vulnera...

Source: nvd

End of list