Sign-up

ID

VAR-201908-0299


CVE

CVE-2019-15498


TITLE

Vera Edge Home Controller In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008194

DESCRIPTION

cgi-bin/cmh/webcam.sh in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via --output argument injection in the username parameter to /cgi-bin/cmh/webcam.sh. Vera Edge Home Controller is a smart home central control unit. The vulnerability stems from the fact that the network system or product does not correctly filter special characters, commands, etc. in the process of constructing executable commands of the operating system from external input data

Trust: 2.25

sources: NVD: CVE-2019-15498 // JVNDB: JVNDB-2019-008194 // CNVD: CNVD-2019-29124 // VULHUB: VHN-147550

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-29124

AFFECTED PRODUCTS

vendor:getveramodel:vera edgescope:eqversion:1.7.4452

Trust: 1.0

vendor:vera controlmodel:veraedgescope:eqversion:1.7.4452

Trust: 0.8

vendor:veramodel:edge vera edge home controllerscope:eqversion:1.7.4452

Trust: 0.6

sources: CNVD: CNVD-2019-29124 // JVNDB: JVNDB-2019-008194 // NVD: CVE-2019-15498

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-15498
value: HIGH

Trust: 1.0

NVD: CVE-2019-15498
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-29124
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201908-1863
value: MEDIUM

Trust: 0.6

VULHUB: VHN-147550
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-15498
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-29124
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-147550
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-15498
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-29124 // VULHUB: VHN-147550 // JVNDB: JVNDB-2019-008194 // CNNVD: CNNVD-201908-1863 // NVD: CVE-2019-15498

PROBLEMTYPE DATA

problemtype:CWE-88

Trust: 1.1

problemtype:CWE-78

Trust: 0.9

sources: VULHUB: VHN-147550 // JVNDB: JVNDB-2019-008194 // NVD: CVE-2019-15498

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1863

TYPE

parameter injection

Trust: 0.6

sources: CNNVD: CNNVD-201908-1863

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-008194

PATCH
title:VeraEdgeurl:https://getvera.com/blogs/our-blog/veraedge-home-controller
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-008194

EXTERNAL IDS
db:NVDid:CVE-2019-15498
Trust: 3.1
db:JVNDBid:JVNDB-2019-008194
Trust: 0.8
db:CNNVDid:CNNVD-201908-1863
Trust: 0.7
db:CNVDid:CNVD-2019-29124
Trust: 0.6
db:VULHUBid:VHN-147550
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-29124 // 
            
            
            
            VULHUB: VHN-147550 // 
            
            
            
            JVNDB: JVNDB-2019-008194 // 
            
            
            
            CNNVD: CNNVD-201908-1863 // 
            
            
            
            NVD: CVE-2019-15498

REFERENCES
url:https://distributedcompute.com/2019/08/22/vera-edge-home-controller-remote-shell-via-unauthenticated-command-injection/
Trust: 3.1
url:https://nvd.nist.gov/vuln/detail/cve-2019-15498
Trust: 2.0
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15498
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-29124 // 
            
            
            
            VULHUB: VHN-147550 // 
            
            
            
            JVNDB: JVNDB-2019-008194 // 
            
            
            
            CNNVD: CNNVD-201908-1863 // 
            
            
            
            NVD: CVE-2019-15498

SOURCES
db:CNVDid:CNVD-2019-29124
db:VULHUBid:VHN-147550
db:JVNDBid:JVNDB-2019-008194
db:CNNVDid:CNNVD-201908-1863
db:NVDid:CVE-2019-15498

LAST UPDATE DATE
2024-11-23T22:41:26.529000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-29124date:2019-08-28T00:00:00
db:VULHUBid:VHN-147550date:2020-08-24T00:00:00
db:JVNDBid:JVNDB-2019-008194date:2019-08-28T00:00:00
db:CNNVDid:CNNVD-201908-1863date:2020-10-28T00:00:00
db:NVDid:CVE-2019-15498date:2024-11-21T04:28:52.427

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-29124date:2019-08-28T00:00:00
db:VULHUBid:VHN-147550date:2019-08-23T00:00:00
db:JVNDBid:JVNDB-2019-008194date:2019-08-28T00:00:00
db:CNNVDid:CNNVD-201908-1863date:2019-08-23T00:00:00
db:NVDid:CVE-2019-15498date:2019-08-23T04:15:11.333