CHT Security Red Team Discovered Vulnerabilities in Well-Known Endpoint Management System
Summary
Vulnerability List
[CVE-2021-44519] – Directory Traversal
[CVE-2021-44520] – Command Injection
[CVE-2022-26151] – Command Injection
Details
1. Directory Traversal
Description
There is a parameter affected by Directory Traversal in specific function.
Impact
Attackers could upload arbitrary file with this vulnerability, leading to remote code execution.
Known Affected Software
- Version 10.14.0 before rolling patch 4
- Version 10.13.0 before rolling patch 7
Credits
- TsungShu Chiu (CHT Security)
2. Command Injection
Description
Some parameters in specific function are not properly neutralized.
Impact
Attackers could use a crafted request to run any OS command with root permission.
Known Affected Software
- Version 10.14.0 before rolling patch 4
- Version 10.13.0 before rolling patch 7
Credits
- TsungShu Chiu (CHT Security)
3. Command Injection
Description
Some parameters in specific function are not properly neutralized.
Impact
Attackers could run any OS command with root permission.
Known Affected Software
- Version 10.14.0 before rolling patch 5
- Version 10.13.0 before rolling patch 8
Credits
- ShengFu Chang (CHT Security)