Sign-up

ID

VAR-202010-0505


CVE

CVE-2020-25859


TITLE

Qualcomm QCMAP  In the software suite  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-012628

DESCRIPTION

The QCMAP_CLI utility in the Qualcomm QCMAP software suite prior to versions released in October 2020 uses a system() call without validating the input, while handling a SetGatewayUrl() request. A local attacker with shell access can pass shell metacharacters and run arbitrary commands. If QCMAP_CLI can be run via sudo or setuid, this also allows elevating privileges to root. This version of QCMAP is used in many kinds of networking devices, primarily mobile hotspots and LTE routers. Qualcomm QCMAP Software suite OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands

Trust: 1.71

sources: NVD: CVE-2020-25859 // JVNDB: JVNDB-2020-012628 // VULMON: CVE-2020-25859

IOT TAXONOMY

category:['network device']sub_category:network device

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:qualcommmodel:qcmapscope:eqversion: -

Trust: 1.0

vendor:クアルコムmodel:qualcomm mobile access pointscope:eqversion: -

Trust: 0.8

vendor:クアルコムmodel:qualcomm mobile access pointscope:eqversion:2020/10 before that

Trust: 0.8

sources: JVNDB: JVNDB-2020-012628 // NVD: CVE-2020-25859

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-25859
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-25859
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202010-693
value: MEDIUM

Trust: 0.6

VULMON: CVE-2020-25859
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-25859
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2020-25859
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2020-25859
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2020-25859 // JVNDB: JVNDB-2020-012628 // CNNVD: CNNVD-202010-693 // NVD: CVE-2020-25859

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

problemtype:OS Command injection (CWE-78) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-012628 // NVD: CVE-2020-25859

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202010-693

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202010-693

PATCH

title:Top Pageurl:https://www.qualcomm.com/

Trust: 0.8

title:Qualcomm QCMAP CLI Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=130761

Trust: 0.6

sources: JVNDB: JVNDB-2020-012628 // CNNVD: CNNVD-202010-693

EXTERNAL IDS

db:NVDid:CVE-2020-25859

Trust: 2.6

db:JVNDBid:JVNDB-2020-012628

Trust: 0.8

db:CNNVDid:CNNVD-202010-693

Trust: 0.6

db:OTHERid:NONE

Trust: 0.1

db:VULMONid:CVE-2020-25859

Trust: 0.1

sources: OTHER: None // VULMON: CVE-2020-25859 // JVNDB: JVNDB-2020-012628 // CNNVD: CNNVD-202010-693 // NVD: CVE-2020-25859

REFERENCES

url:http://vdoo.com/blog/qualcomm-qcmap-vulnerabilities

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-25859

Trust: 1.4

url:https://www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities

Trust: 0.8

url:https://ieeexplore.ieee.org/abstract/document/10769424

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/78.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/189912

Trust: 0.1

sources: OTHER: None // VULMON: CVE-2020-25859 // JVNDB: JVNDB-2020-012628 // CNNVD: CNNVD-202010-693 // NVD: CVE-2020-25859

SOURCES

db:OTHERid: -
db:VULMONid:CVE-2020-25859
db:JVNDBid:JVNDB-2020-012628
db:CNNVDid:CNNVD-202010-693
db:NVDid:CVE-2020-25859

LAST UPDATE DATE

2025-01-30T22:39:18.090000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2020-25859date:2020-10-28T00:00:00
db:JVNDBid:JVNDB-2020-012628date:2021-05-18T04:55:00
db:CNNVDid:CNNVD-202010-693date:2020-10-29T00:00:00
db:NVDid:CVE-2020-25859date:2024-11-21T05:18:55.293

SOURCES RELEASE DATE

db:VULMONid:CVE-2020-25859date:2020-10-15T00:00:00
db:JVNDBid:JVNDB-2020-012628date:2021-05-18T00:00:00
db:CNNVDid:CNNVD-202010-693date:2020-10-15T00:00:00
db:NVDid:CVE-2020-25859date:2020-10-15T16:15:12.180