Description
RepetierServer.exe in Repetier-Server 0.8 through 0.91 does not properly validate the XML data structure provided when uploading a new printer configuration. When this is combined with CVE-2019-14450, an attacker can upload an "external command" configuration as a printer configuration, and achieve remote code execution. After exploitation, loading of the external command configuration is dependent on a system reboot or service restart.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://www.repetier-server.com/manuals/0.91/index.html
Vendor Advisory x_refsource_confirm
https://www.repetier-server.com/knowledgebase/security-advisory/
Scores
CVSS v3
9.8
EPSS
0.0375
EPSS Percentile
88.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
repetier-server/repetier-server
0.80 - 0.91
Published
Oct 25, 2019
Tracked Since
Feb 18, 2026