CVE-2022-40282
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
25/11/2022
Last modified:
29/04/2025
Description
The web server of Hirschmann BAT-C2 before 09.13.01.00R04 allows authenticated command injection. This allows an authenticated attacker to pass commands to the shell of the system because the dir parameter of the FsCreateDir Ajax function is not sufficiently sanitized. The vendor's ID is BSECV-2022-21.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:belden:hirschmann_bat-c2_firmware:*:*:*:*:*:*:*:* | 09.13.00r04 (excluding) | |
| cpe:2.3:h:belden:hirschmann_bat-c2:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/170063/Hirschmann-Belden-BAT-C2-8.8.1.0R8-Command-Injection.html
- http://seclists.org/fulldisclosure/2022/Nov/19
- https://www.belden.com/support/security-assurance
- http://packetstormsecurity.com/files/170063/Hirschmann-Belden-BAT-C2-8.8.1.0R8-Command-Injection.html
- http://seclists.org/fulldisclosure/2022/Nov/19
- https://www.belden.com/support/security-assurance