CVE-2020-7240
Severity CVSS v4.0:
Pending analysis
Type:
CWE-78
OS Command Injections
Publication date:
20/01/2020
Last modified:
04/08/2024
Description
Meinberg Lantime M300 and M1000 devices allow attackers (with privileges to configure a device) to execute arbitrary OS commands by editing the /config/netconf.cmd script (aka Extended Network Configuration). Note: According to the description, the vulnerability requires a fully authenticated super-user account using a webUI function that allows super users to edit a script supposed to execute OS commands. The given weakness enumeration (CWE-78) is not applicable in this case as it refers to abusing functions/input fields not supposed to be accepting OS commands by using 'Special Elements.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
9.00
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:h:meinbergglobal:lantime_m300:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:meinbergglobal:lantime_m300_firmware:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:meinbergglobal:lantime_m1000:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:meinbergglobal:lantime_m1000_firmware:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page