CWE-78

The Kommbox component in Rangee GmbH RangeeOS 8.0.4 is vulnerable to Remote Code Execution due to untrusted user supplied input being passed to the command line without sanitization.

In the default configuration of Rangee GmbH RangeeOS 8.0.4, all components are executed in the context of the privileged root user. This may allow a local attacker to break out of the restricted environment or inject malicious code into the application and fully compromise the operating system.

Winston 1.5.4 devices are vulnerable to command injection via the API.

Using a specially crafted URL command, a remote authenticated user can execute commands as root on the G-Cam and G-Code (Firmware Versions 1.12.0.25 and prior as well as the limited Versions 1.12.13.2 and 1.12.14.5).

The login page in Telmat AccessLog <= 6.0 (TAL_20180415) allows an attacker to get root shell access via Unauthenticated code injection over the network.

The ping page of the administration panel in Telmat AccessLog <= 6.0 (TAL_20180415) allows an attacker to get root shell access via authenticated code injection over the network.