Description
The novish command-line interface, included in NoviFlow NoviWare before NW500.2.12 and deployed on NoviSwitch devices, is vulnerable to command injection in the "show status destination ipaddr" command. This could be used by a read-only user (monitoring group) or admin to execute commands on the operating system.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://drive.google.com/file/d/1iL4cc0ZbQK9s190DbFQD7mWYbBH-vlJb/view?usp=sharing
Scores
CVSS v3
8.8
EPSS
0.0712
EPSS Percentile
93.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
noviflow/noviware
< nw500.2.12
Published
Aug 17, 2020
Tracked Since
Feb 18, 2026