CVE-2019-7669 Information

Description

Prima Systems FlexAir Versions 2.3.38 and prior. Improper validation of file extensions when uploading files could allow a remote authenticated attacker to upload and execute malicious applications within the application’s web root with root privileges.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://packetstormsecurity.com/files/155270/FlexAir-Access-Control-2.3.38-Command-Injection.html https://applied-risk.com/labs/advisories https://www.applied-risk.com/resources/ar-2019-007 https://www.us-cert.gov/ics/advisories/icsa-19-211-02

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8