Critical severity9.8NVD Advisory· Published Jun 22, 2017· Updated May 13, 2026

CVE-2017-9807

Description

An issue was discovered in the OpenWebif plugin through 1.2.4 for E2 open devices. The saveConfig function of "plugin/controllers/models/config.py" performs an eval() call on the contents of the "key" HTTP GET parameter. This allows an unauthenticated remote attacker to execute arbitrary Python code or OS commands via api/saveconfig.

Affected products

Openwebif Project/Openwebif
cpe:2.3:a:openwebif_project:openwebif:*:*:*:*:*:*:*:*
Range: <=1.2.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/E2OpenPlugins/e2openplugin-OpenWebif/issues/620nvdExploitIssue TrackingThird Party Advisory
www.securityfocus.com/bid/99232nvdThird Party AdvisoryVDB Entry
www.openwall.com/lists/oss-security/2017/10/02/4nvd
census-labs.com/news/2017/10/02/e2openplugin-openwebif-saveconfig-remote-code-execution/nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.011
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000