CVE-2017-12577
CRITICALPLANEX CS-QR20 1.30 - Authenticated Remote Code Execution via Hardcoded Credentials
Title source: llmDescription
An issue was discovered on the PLANEX CS-QR20 1.30. A hardcoded account / password ("admin:password") is used in the Android application that allows attackers to use a hidden API URL "/goform/SystemCommand" to execute any command with root permission.
References (1)
Core 1
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2018/Aug/28
Scores
CVSS v3
9.8
EPSS
0.0146
EPSS Percentile
70.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-798
Status
published
Products (2)
planex/cs-qr20_firmware
1.30
planex/smacam_night_vision
Published
Aug 24, 2018
Tracked Since
Feb 18, 2026