CVE-2024-7442

MEDIUM

Vivotek SD9364 VVTK-0103f - Command Injection via upload_file.cgi QUERY_STRING Parameter

Title source: llm

Description

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Vivotek SD9364 VVTK-0103f. It has been rated as critical. This issue affects the function getenv of the file upload_file.cgi. The manipulation of the argument QUERY_STRING leads to command injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-273527. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the affected release tree is end-of-life.

References (4)

Core 4

Core References

Permissions Required, Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.273527

Permissions Required, Third Party Advisory, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.273527

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.383843

Permissions Required broken-link

https://yjz233.notion.site/vivotek-SD9364-has-command-injection-vulnerability-in-upload_file-cgi-5cef6da27b25479497dda0b73670f565?pvs=4

Scores

CVSS v3 6.3

EPSS 0.0269

EPSS Percentile 83.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-77

Status published

Products (1)

vivotek/sd9364_firmware

Published Aug 03, 2024

Tracked Since Feb 18, 2026