CVE-2021-32530
QSAN XEVO - Command Injection Following via Array function
In short
A flaw in QSAN XEVO's Array function allows attackers to inject and execute arbitrary system commands by manipulating the status parameter, without needing to log in. This lets unauthorized users take complete control of the system.
Technical detail
OS command injection vulnerability exists in the Array function due to insufficient input validation on the status parameter, allowing remote unauthenticated attackers to inject malicious commands that are executed with system privileges. The vulnerability requires network access to the vulnerable endpoint but no authentication, resulting in arbitrary code execution and complete system compromise.
Summary generated and translated by AI from the official description.
OS command injection vulnerability in Array function in QSAN XEVO allows remote unauthenticated attackers to execute arbitrary commands via status parameter. The referred vulnerability has been solved with the updated version of QSAN XEVO v2.1.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
QSAN · XEVOWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →