Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request.
Solution:
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
| Link | Tags |
|---|---|
| https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3 | product patch |
| https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL | product patch |
| https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT | product patch |
| https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/ | third party advisory exploit |
| http://seclists.org/fulldisclosure/2023/May/4 | third party advisory exploit |
| http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html |