CVE-2019-9161

Published: Apr 18, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a Remote Code Execution issue allowing remote attackers to achieve full access to the system, because shell metacharacters in the nginx_webconsole.php Cookie header can be used to read an etc/config/wac/wns_cfg_admin_detail.xml file containing the admin password. (The password for root is the WebUI admin password concatenated with a static string.)

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://www.cnvd.org.cn/flaw/show/CNVD-2019-07679

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2019-9161

Description

Affected Products

References