Unrated severityNVD Advisory· Published Jun 13, 2022· Updated Sep 16, 2024

FESTO: CECC-X-M1 and Servo Press Kit YJKP OS Command Injection vulnerability

CVE-2022-30309

Description

In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-off" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

Affected products

Festo/Controller Cecc X M1 Ys L1 (8082793)v5
Range: 3.0.0
Festo/Controller Cecc X M1 Mv (8124923)v5
Range: 4.0.14
Festo/Controller Cecc X M1 Mv S1 (8124924)v5
Range: 4.0.14
Festo/Servo Press Kit Yjkp (8077950)v5
Range: 3.0.0
Festo/Controller CECC-X-M1-MV-S1 (4407606)v5
Range: 3.0.0
Festo/Controller CECC-X-M1-Y-YJKP (4803891)v5
Range: 3.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cert.vde.com/en/advisories/VDE-2022-020/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000