Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Mitel 6869i

4.5.0.41

Source

cve@mitre.org

CVE-2024-37570 details

Published : June 9, 2024, 8:15 p.m.
Last Modified : June 9, 2024, 8:15 p.m.

Description

On Mitel 6869i 4.5.0.41 devices, the Manual Firmware Update (upgrade.html) page does not perform sanitization on the username and path parameters (sent by an authenticated user) before appending flags to the busybox ftpget command. This leads to $() command execution.

CVSS Score

1	2	3	4	5	6	7	8	9	10

Weakness

Weakness	Name	Description

References

URL	Source
https://github.com/kwburns/CVE/blob/main/Mitel/5.0.0.1018/code/exploit-firmware.py	cve@mitre.org
https://github.com/kwburns/CVE/tree/main/Mitel/5.0.0.1018#authenticated-remote-command-execution-firmware	cve@mitre.org

This website uses the NVD API, but is not approved or certified by it.

CVE-2024-37570