FKIE_CVE-2019-25289

Vulnerability from fkie_nvd - Published: 2026-01-08 00:15 - Updated: 2026-01-08 18:08
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials.
References
disclosure@vulncheck.comhttps://cxsecurity.com/issue/WLB-2019120046
disclosure@vulncheck.comhttps://exchange.xforce.ibmcloud.com/vulnerabilities/172840
disclosure@vulncheck.comhttps://packetstormsecurity.com/files/155616
disclosure@vulncheck.comhttps://www.exploit-db.com/exploits/47765
disclosure@vulncheck.comhttps://www.inim.biz/
disclosure@vulncheck.comhttps://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5544.php
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SmartLiving SmartLAN \u003c=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the \u0027par\u0027 POST parameter with the \u0027testemail\u0027 module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials."
    },
    {
      "lang": "es",
      "value": "SmartLiving SmartLAN \u0026lt;=6.x contiene una vulnerabilidad de inyecci\u00f3n de comandos remota autenticada en el binario web.cgi a trav\u00e9s del par\u00e1metro POST \u0027par\u0027 con el m\u00f3dulo \u0027testemail\u0027. Los atacantes pueden explotar el par\u00e1metro no saneado y la llamada a la funci\u00f3n system() para ejecutar comandos de sistema arbitrarios con privilegios de root utilizando credenciales predeterminadas."
    }
  ],
  "id": "CVE-2019-25289",
  "lastModified": "2026-01-08T18:08:18.457",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "disclosure@vulncheck.com",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-08T00:15:58.797",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://cxsecurity.com/issue/WLB-2019120046"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/172840"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://packetstormsecurity.com/files/155616"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://www.exploit-db.com/exploits/47765"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://www.inim.biz/"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5544.php"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.