Online Weather - Command injection in queryBCP method

DATE

26.02.2020

Affected Vendor

IBL

Affected Product

Online Weather – Online Weather is an application developed for the automatic publishing of meteorological information online – https://www.iblsoft.com/products/onlineweather

Vulnerable version

4.3.5

Fixed version

4.3.5a

CVSS

10.0 Critical CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Recommendations

Update to Online Weather version 4.3.5a

Vulnerability details

The queryBCP method of the Online Weather Auxiliary Service is prone to a command injection vulnerability via not validated parameter passed to the eval instruction.

CVE

CVE-2020-9406

Credits

Dawid Czarnecki

References

https://nvd.nist.gov/vuln/detail/CVE-2020-9406

Do you think the security of your data might be lacking? Let's find the best approach together.
Once you contact us, we will ask you about the project you want to secure.

Have Any Questions?

Online Weather – Command injection in queryBCP method

NEED A CONSULTATION?

contact@zigrin.com

GPG Key

Get a free consultation