Vulnerability Details : CVE-2013-6881
CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) sector size or (2) skip count fields for the forensic imaging task.
Products affected by CVE-2013-6881
- cpe:2.3:o:cru-inc:ditto_forensic_fieldstation_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:h:cru-inc:ditto_forensic_fieldstation:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-6881
3.64%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-6881
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2013-6881
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-6881
-
http://www.exploit-db.com/exploits/30396
Ditto Forensic FieldStation 2013Oct15a - Multiple Vulnerabilities - PHP webapps ExploitExploit
-
http://seclists.org/fulldisclosure/2013/Dec/80
Full Disclosure: Ditto Forensic FieldStation, multiple vulnerabilitiesExploit
-
http://packetstormsecurity.com/files/124420/Ditto-Forensic-FieldStation-2013Oct15a-XSS-CSRF-Command-Execution.html
Ditto Forensic FieldStation 2013Oct15a XSS/ CSRF / Command Execution ≈ Packet StormExploit
-
http://www.cru-inc.com/support/software-downloads/ditto-firmware-updates/ditto-firmware-release-notes-2013oct15a/
Ditto Firmware Release Notes 2013Oct15a - CRUVendor Advisory
-
http://www.cru-inc.com/support/software-downloads/ditto-firmware-updates/ditto-firmware-release-notes-2013jun30a/
Ditto Firmware Release Notes 2013Jun30a - CRUVendor Advisory
Jump to