Vulnerability Details : CVE-2019-9189
Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root code execution, not as a web server user, allowing an authenticated attacker to gain full system access.
Products affected by CVE-2019-9189
- cpe:2.3:a:primasystems:flexair:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-9189
0.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-9189
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2019-9189
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-9189
-
http://packetstormsecurity.com/files/155273/Prima-Access-Control-2.3.35-Script-Upload-Remote-Code-Execution.html
Prima Access Control 2.3.35 Script Upload Remote Code Execution ≈ Packet Storm
-
https://applied-risk.com/resources/ar-2019-007
Prima Systems FlexAir Multiple Vulnerabilities Prima Systems FlexAir Multiple Vulnerabilities - Applied RiskThird Party Advisory
-
https://applied-risk.com/index.php/download_file/view/199/165
Applied Risk - Applied RiskThird Party Advisory
-
https://applied-risk.com/labs/advisories
Resources - Applied RiskThird Party Advisory
-
https://www.us-cert.gov/ics/advisories/icsa-19-211-02
Prima Systems FlexAir | CISA
Jump to