CVE-2018-5757

HIGH Year: 2018
CVSS v3 Score
8.8
High
CVSS v2 Score
9.0
Critical
Weakness Type
CWE-78
View all →

Vulnerability Description

An issue was discovered on AudioCodes 450HD IP Phone devices with firmware 3.0.0.535.106. The traceroute and ping functionality, which uses a parameter in a request to command.cgi from the Monitoring page in the web UI, unsafely puts user-alterable data directly into an OS command, leading to Remote Code Execution via shell metacharacters in the query string.

Related Vulnerabilities

CVE-2011-3178

HIGH
CVSS:8.8(High)

In the web ui of the openbuildservice before 2.3.0 a code injection of the project rebuildtimes statistics could be used by authorized attackers to execute shellcode.

CWE-782011

CVE-2012-4981

HIGH
CVSS:8.8(High)

Toshiba ConfigFree 8.0.38 has a CF7 File Remote Command Execution Vulnerability

CWE-782012

CVE-2012-5693

HIGH
CVSS:8.8(High)

Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddressTB parameter to (1) remoteAttack.pl or (2) ...

CWE-782012

CVE-2012-6610

HIGH
CVSS:8.8(High)

Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote authenticated users to execute arbitrary commands as demonstrated by a ; (semicolon) to the ping command feature.

CWE-782012

CVE-2013-1598

HIGH
CVSS:8.8(High)

A Command Injection vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via the system.ntp parameter to the farseer.out binary file, which cold let a malicious user execute arbitrary cod...

CWE-782013

CVE-2013-2024

HIGH
CVSS:8.8(High)

OS command injection vulnerability in the "qs" procedure from the "utils" module in Chicken before 4.9.0.

CWE-782013