CHT Security Red Team Discovered Vulnerabilities in Well-Known Endpoint Management System

Summary

Vulnerability List

[CVE-2021-44519] – Directory Traversal

[CVE-2021-44520] – Command Injection

[CVE-2022-26151] – Command Injection



Details

1. Directory Traversal

Description

There is a parameter affected by Directory Traversal in specific function.

Impact

Attackers could upload arbitrary file with this vulnerability, leading to remote code execution. 

Known Affected Software

  • Version 10.14.0 before rolling patch 4
  • Version 10.13.0 before rolling patch 7

Credits

  • TsungShu Chiu (CHT Security)


2. Command Injection

Description

Some parameters in specific function are not properly neutralized.

Impact

Attackers could use a crafted request to run any OS command with root permission.

Known Affected Software

  • Version 10.14.0 before rolling patch 4
  • Version 10.13.0 before rolling patch 7

Credits

  • TsungShu Chiu (CHT Security)

3. Command Injection

Description

Some parameters in specific function are not properly neutralized.

Impact

Attackers could run any OS command with root permission.

Known Affected Software

  • Version 10.14.0 before rolling patch 5
  • Version 10.13.0 before rolling patch 8

Credits

  • ShengFu Chang (CHT Security)