CVE-2024-7443

MEDIUM

Vivotek IB8367A VVTK-0100b - Command Injection via upload_file.cgi QUERY_STRING Parameter

Title source: llm

Description

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in Vivotek IB8367A VVTK-0100b. Affected is the function getenv of the file upload_file.cgi. The manipulation of the argument QUERY_STRING leads to command injection. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-273528. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the affected release tree is end-of-life.

References (4)

Core 4

Core References

Permissions Required, Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.273528

Permissions Required, Third Party Advisory, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.273528

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.383844

Permissions Required broken-link

https://yjz233.notion.site/vivotek-IB8367A-has-command-injection-vulnerability-in-upload_file-cgi-899e5d529fb14b4189534b2b9830bfff?pvs=4

Scores

CVSS v3 6.3

EPSS 0.0269

EPSS Percentile 83.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (1)

vivotek/ib8367a_firmware

Published Aug 03, 2024

Tracked Since Feb 18, 2026