CVE-2021-26728 | Command injection and stack-based buffer overflow vulnerabil… | CVSS 10.0 CRITICAL

Description

Command injection and stack-based buffer overflow vulnerabilities in the KillDupUsr_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.

Metadata

CVE ID: CVE-2021-26728
State: PUBLISHED
Assigner: Nozomi
Reserved: 2021-02-05 00:00 UTC
Published: 2022-10-24 00:00 UTC
Last updated: 2024-08-03 20:33 UTC
Primary CWE: CWE-94
CWE-94 Improper Control of Generation of Code ('Code Injecti…
Vendor / Product: Lanner Inc / IAC-AST2500A
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
Lanner Inc	IAC-AST2500A	—	1.10.0

Weakness (CWE)

CWE	Source	Description
CWE-121	cna	CWE-121 Stack-based Buffer Overflow
CWE-94	cna	CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (2)