An OS command injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an administrator to execute arbitrary OS commands via a file name parameter in a patch application function. The Zultys MX Administrator client has a "Patch Manager" section that allows administrators to apply patches to the device. The user supplied filename for the patch file is passed to a shell script without validation. Including bash command substitution characters in a patch file name results in execution of the provided command.
References
Link | Resource |
---|---|
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md | Third Party Advisory |
https://mxvirtual.com | Product |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2023-12-08T00:00:00
Updated: 2023-12-08T01:08:19.524708
Reserved: 2023-09-22T00:00:00
Link: CVE-2023-43744
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-12-08T01:15:07.337
Modified: 2023-12-13T15:35:02.467
Link: CVE-2023-43744
JSON object: View
Redhat Information
No data.
CWE