CVE Vulnerability

CVE-2019-15766

The KSLABS KSWEB (aka ru.kslabs.ksweb) application 3.93 for Android allows authenticated remote code execution via a POST request to the AJAX handler with the configFile parameter set to the arbitrary file to be written to (and the config_text parameter set to the content of the file to be created). This can be a PHP file that is written to in the public web directory and subsequently executed. The attacker must have network connectivity to the PHP server that is running on the Android device.

6.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://rastating.github.io/ksweb-android-remote-code-execution/ Exploit Third Party Advisory
https://play.google.com/store/apps/details?id=ru.kslabs.ksweb&gl=GB Product
Configurations

Configuration 1

cpe:2.3:a:kslabs:ksweb:3.93:*:*:*:*:android:*:*
Information

Published : 2019-10-03 09:15

Updated : 2021-07-21 11:39

NVD link : CVE-2019-15766

Mitre link : CVE-2019-15766

Products Affected
No products.
CWE
CWE-434