Vulnerability Details CVE-2020-8233
A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.049
EPSS Ranking 89.1%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 9.0
References
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html
- https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c
- https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821
- https://www.ui.com/download/edgemax
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html
- https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c
- https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821
- https://www.ui.com/download/edgemax
Products affected by CVE-2020-8233
-
cpe:2.3:a:opensuse:backports_sle:15.0
-
cpe:2.3:a:ui:edgeswitch_firmware:1.7.1
-
cpe:2.3:h:ui:ep-16-xg:-
-
cpe:2.3:h:ui:ep-s16:-
-
cpe:2.3:h:ui:es-12f:-
-
cpe:2.3:h:ui:es-16-150w:-
-
cpe:2.3:h:ui:es-24-250w:-
-
cpe:2.3:h:ui:es-24-500w:-
-
cpe:2.3:h:ui:es-24-lite:-
-
cpe:2.3:h:ui:es-48-500w:-
-
cpe:2.3:h:ui:es-48-750w:-
-
cpe:2.3:h:ui:es-48-lite:-
-
cpe:2.3:h:ui:es-8-150w:-
-
cpe:2.3:o:opensuse:leap:15.1
-
cpe:2.3:o:opensuse:leap:15.2