CVE-2014-5073 - vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 28657 allows remote attackers to execute

CVE-2014-5073

Summary

vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 28657 allows remote attackers to execute arbitrary commands via shell metacharacters in the fileDate parameter in a DOWN call. <a href="http://cwe.mitre.org/data/definitions/77.html" target="_blank">CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')</a>

References

Vulnerable Configurations

cpe:2.3:a:vmturbo:operations_manager:4.0:*:*:*:*:*:*:*
cpe:2.3:a:vmturbo:operations_manager:4.0:*:*:*:*:*:*:*
cpe:2.3:a:vmturbo:operations_manager:4.5:-:*:*:*:*:*:*
cpe:2.3:a:vmturbo:operations_manager:4.5:-:*:*:*:*:*:*
cpe:2.3:a:vmturbo:operations_manager:4.5:1:*:*:*:*:*:*
cpe:2.3:a:vmturbo:operations_manager:4.5:1:*:*:*:*:*:*
cpe:2.3:a:vmturbo:operations_manager:4.6:*:*:*:*:*:*:*
cpe:2.3:a:vmturbo:operations_manager:4.6:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 29-08-2017 - 01:35)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	69225
exploit-db	34335
misc	http://disse.cting.org/2014/07/30/vmturbo-operation-manager-remote-command-execution/ http://packetstormsecurity.com/files/127864/VMTurbo-Operations-Manager-4.6-vmtadmin.cgi-Remote-Command-Execution.html http://secunia.com/secunia_research/2014-8/
osvdb	109572
secunia	58880
xf	vmturbo-cve20145073-cmd-exec(95319)

Last major update

29-08-2017 - 01:35

Published

29-08-2014 - 16:55

Last modified

29-08-2017 - 01:35