Description
A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821
Patch, Release Notes, Vendor Advisory x_refsource_misc
https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c
Product x_refsource_misc
https://www.ui.com/download/edgemax
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html
Scores
CVSS v3
8.8
EPSS
0.1519
EPSS Percentile
94.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
CWE-77
Status
published
Products (4)
opensuse/backports_sle
15.0 sp1 (2 CPE variants)
opensuse/leap
15.1
opensuse/leap
15.2
ui/edgeswitch_firmware
< 1.9.0
Published
Aug 17, 2020
Tracked Since
Feb 18, 2026