An issue was discovered on the PLANEX CS-QR20 1.30. A hardcoded account / password ("admin:password") is used in the Android application that allows attackers to use a hidden API URL "/goform/SystemCommand" to execute any command with root permission.
References
Link | Resource |
---|---|
http://seclists.org/fulldisclosure/2018/Aug/28 | Mailing List Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-08-24T19:00:00
Updated: 2018-08-24T18:57:01
Reserved: 2017-08-05T00:00:00
Link: CVE-2017-12577
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-08-24T19:29:01.017
Modified: 2018-11-05T19:31:13.330
Link: CVE-2017-12577
JSON object: View
Redhat Information
No data.
CWE