Inclusion of Functionality from Untrusted Control Sphere

CVE-2020-16152

High

9.8/10

Summary

The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References

Advisory Timeline

Published Nov 14, 2021

Inclusion of Functionality from Untrusted Control Sphere

CVE-2020-16152

Summary

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS