CVE-2010-5330
On certain Ubiquiti devices, Command Injection exists via a GET request to stainfo.cgi (aka Show AP info) because the ifname variable is not...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- June 11, 2019
- Published Date
- June 11, 2019
- Last Updated
- February 07, 2025
- Vendor
- n/a
- Product
- n/a
- Description
- On certain Ubiquiti devices, Command Injection exists via a GET request to stainfo.cgi (aka Show AP info) because the ifname variable is not sanitized, as demonstrated by shell metacharacters. The fixed version is v4.0.1 for 802.11 ISP products, v5.3.5 for AirMax ISP products, and v5.4.5 for AirSync firmware. For example, Nanostation5 (Air OS) is affected.
CVSS Scores
CVSS v3.1
9.8 - CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC Information
- Exploitation
- active
- Automatable
- Yes
- Technical Impact
- total
Exploit Status
- Exploited in the Wild
- Yes (added 2022-04-15 00:00:00 UTC) Source
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2022-04-15 00:00:00 UTC |