CVE-2017-14853
published 2019-06-03CVE-2017-14853: The Orpak SiteOmat OrCU component is vulnerable to code injection, for all versions prior to 2017-09-25, due to a search query that uses a direct shell…
PriorityP354high8.6CVSS 3.1
AVNACLPRNUINSUCLIHAL
EPSS
3.77%
88.6th percentile
The Orpak SiteOmat OrCU component is vulnerable to code injection, for all versions prior to 2017-09-25, due to a search query that uses a direct shell command. By tampering with the request, an attacker is able to run shell commands and receive valid output from the device.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| orpak | siteomat | < 6.4.414.122 | 6.4.414.122 |
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Orpak SiteOmat OrCU code injection (BID-108167)
vuldb·2026-06-03·CVSS 8.6
CVE-2017-14853 [HIGH] Orpak SiteOmat OrCU code injection (BID-108167)
A vulnerability identified as critical has been detected in Orpak SiteOmat. Affected by this issue is some unknown functionality of the component OrCU. The manipulation leads to code injection.
This vulnerability is documented as CVE-2017-14853. The attack can be initiated remotely. There is not any exploit available.
You should upgrade the affected component.
GHSA
GHSA-fh7c-h6pw-fjpf: The Orpak SiteOmat OrCU component is vulnerable to code injection, for all versions prior to 2017-09-25, due to a search query that uses a direct shel
ghsa_unreviewed·2022-05-24
CVE-2017-14853 [CRITICAL] CWE-94 GHSA-fh7c-h6pw-fjpf: The Orpak SiteOmat OrCU component is vulnerable to code injection, for all versions prior to 2017-09-25, due to a search query that uses a direct shel
The Orpak SiteOmat OrCU component is vulnerable to code injection, for all versions prior to 2017-09-25, due to a search query that uses a direct shell command. By tampering with the request, an attacker is able to run shell commands and receive valid output from the device.
CISA ICS
Orpak SiteOmat
cisa_ics·2019-05-06·CVSS 9.8
[CRITICAL] Orpak SiteOmat
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Orpak SiteOmat
Last RevisedMay 06, 2019
Alert CodeICSA-19-122-01
## 1. EXECUTIVE SUMMARY
-
CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit/public exploits available
- Vendor: Orpak (acquired by Gilbarco Veeder-Root)
- Equipment: SiteOmat
- Vulnerabilities: Use of Hard-coded Credentials, Cross-site Scripting, SQL Injection, Missing Encryption of Sensitive Data, Code Injection, Stack-based Buffer Overflow
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in arbitrary remote code execution resulting in possible denial
No detection rules found.
No public exploits indexed.
Securelist
Gas is too expensive? Let’s make it cheap!
blogs_securelist·2018-02-07
Gas is too expensive? Let’s make it cheap!
Authors
- Ido Naor
A few months ago, while undertaking unrelated research into online connected devices, we uncovered something surprising and realized almost immediately that we could be looking at a critical security threat. What we found was a simple purple web interface that was in fact a link to a real-life gas station, and we suspected this link made the station remotely hackable.
Amihai Neiderman, then working for Azimuth security, and I investigated the findings. When our suspicions turned out to be true, we reported them to the vendor.
The story was covered recently by Motherboard VICE, and here we will share some of the technical details behind it. Further details of this research will be shared in early March at the Security Analyst Summit 2018 in Cancun.
The device we inve
Securelist
Gas is too expensive? Let’s make it cheap!
blogs_securelist·2018-02-07
Gas is too expensive? Let’s make it cheap!
Authors
Ido Naor
A few months ago, while undertaking unrelated research into online connected devices, we uncovered something surprising and realized almost immediately that we could be looking at a critical security threat. What we found was a simple purple web interface that was in fact a link to a real-life gas station, and we suspected this link made the station remotely hackable.
Amihai Neiderman, then working for Azimuth security, and I investigated the findings. When our suspicions turned out to be true, we reported them to the vendor.
The story was covered recently by Motherboard VICE , and here we will share some of the technical details behind it. Further details of this research will be shared in early March at the Security Analyst Summit 2018 in Cancun.
The device we inves
2019-06-03
Published