CVE-2019-15310: Command Injection
First published: Wed Jul 01 2020(Updated: )
An issue was discovered on various devices via the Linkplay firmware. There is WAN remote code execution without user interaction. An attacker could retrieve the AWS key from the firmware and obtain full control over Linkplay's AWS estate, including S3 buckets containing device firmware. When combined with an OS command injection vulnerability within the XML Parsing logic of the firmware update process, an attacker would be able to gain code execution on any device that attempted to update. Note that by default all devices tested had automatic updates enabled.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linkplay |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2019-15310?
CVE-2019-15310 is classified as critical due to the potential for WAN remote code execution without user interaction.
How do I fix CVE-2019-15310?
To mitigate CVE-2019-15310, update the affected Linkplay devices with the latest firmware provided by the vendor.
What devices are impacted by CVE-2019-15310?
CVE-2019-15310 affects various devices that utilize Linkplay firmware.
What can an attacker do with CVE-2019-15310?
An attacker exploiting CVE-2019-15310 could retrieve sensitive AWS keys and gain full control over Linkplay's AWS resources.
Is user interaction required to exploit CVE-2019-15310?
No, CVE-2019-15310 allows remote code execution without any user interaction.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/linkplay
- canonical/linkplay