CVE-2019-5168

CWE-78 — OS Command Injection3 documents3 sources

Severity

7.8HIGH

EPSS

0.6%

top 31.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wago Wago Pfc200 Firmware Wago Pfc200 Firmware

Timeline

PublishedMar 11

Latest updateMay 24

Description

An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name= using sprintf().This command is later executed via a call to system().

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDwago/pfc200_firmware03.02.02\(14\)

▶CVEListV5wago/wago_pfc200_firmwareversion 03.02.02(14)

🔴Vulnerability Details

GHSA

GHSA-3q35-r527-69h9: An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03↗2022-05-24

▶

CVEList

CVE-2019-5168: An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03↗2020-03-10

▶