CVE-2019-19994
CRITICALSelesta Visual Access Manager 4.15.0-4.29.0 - Unauthenticated OS Command Injection via vam_monitor_sap.php
Title source: llmDescription
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. It allows blind Command Injection. An attacker without authentication is able to execute arbitrary operating system command by injecting the vulnerable parameter in the PHP Web page /common/vam_monitor_sap.php.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html
Product x_refsource_misc
https://www.seling.it/
Product, Vendor Advisory x_refsource_misc
https://www.seling.it/product/vam/
Scores
CVSS v3
9.8
EPSS
0.0484
EPSS Percentile
90.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
seling/visual_access_manager
4.15.0 - 4.29.0
Published
Feb 26, 2020
Tracked Since
Feb 18, 2026