CVE-2019-5156

CWE-78 — OS Command Injection3 documents3 sources

Severity

7.2HIGH

EPSS

2.8%

top 13.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wago Wago Pfc200 Firmware Wago Pfc200 Firmware

Timeline

PublishedMar 11

Latest updateMay 24

Description

An exploitable command injection vulnerability exists in the cloud connectivity functionality of WAGO PFC200 versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). An attacker can inject operating system commands into the TimeoutPrepared parameter value contained in the firmware update command.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDwago/pfc200_firmware03.00.39\(12\), 03.01.07\(13\), 03.02.02\(14\)+2

▶CVEListV5wago/wago_pfc200_firmwareversion 03.00.39(12), version 03.01.07(13), version 03.02.02(14)+2

🔴Vulnerability Details

GHSA

GHSA-4wh8-v3px-8552: An exploitable command injection vulnerability exists in the cloud connectivity functionality of WAGO PFC200 versions 03↗2022-05-24

▶

CVEList

CVE-2019-5156: An exploitable command injection vulnerability exists in the cloud connectivity functionality of WAGO PFC200 versions 03↗2020-03-10

▶