CVE-2023-6926 – Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Crestron AM-300
https://notcve.org/view.php?id=CVE-2023-6926
There is an OS command injection vulnerability in Crestron AM-300 firmware version 1.4499.00018 which may enable a user of a limited-access SSH session to escalate their privileges to root-level access. Existe una vulnerabilidad de inyección de comandos del sistema operativo en la versión 1.4499.00018 del firmware Crestron AM-300 que puede permitir a un usuario de una sesión SSH de acceso limitado escalar sus privilegios al acceso de nivel root. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-02 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2023-38405
https://notcve.org/view.php?id=CVE-2023-38405
On Crestron 3-Series Control Systems before 1.8001.0187, crafting and sending a specific BACnet packet can cause a crash. • https://www.crestron.com/release_notes/cp3n_1.8001.0187_release_notes.pdf • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2022-40298
https://notcve.org/view.php?id=CVE-2022-40298
Crestron AirMedia for Windows before 5.5.1.84 has insecure inherited permissions, which leads to a privilege escalation vulnerability found in the AirMedia Windows Application, version 4.3.1.39. A low privileged user can initiate a repair of the system and gain a SYSTEM level shell. Crestron AirMedia para Windows versiones anteriores a 5.5.1.84, presenta permisos heredados no seguros, lo que conlleva a una vulnerabilidad de escalada de privilegios encontrada en la aplicación AirMedia Windows, versión 4.3.1.39. Un usuario poco privilegiado puede iniciar una reparación del sistema y conseguir un shell de nivel SYSTEM. • https://www.crestron.com/Security/Security_Advisories https://www.crestron.com/release_notes/airmedia_windows_installer_release_notes_5.5.1.84.pdf • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2022-34101
https://notcve.org/view.php?id=CVE-2022-34101
A vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can place a malicious DLL in a certain path to execute code and preform a privilege escalation attack. Se ha detectado una vulnerabilidad en Crestron AirMedia Windows Application, versión 4.3.1.39, en la que un usuario puede colocar una DLL maliciosa en una ruta determinada para ejecutar código y realizar un ataque de escalada de privilegios • https://www.crestron.com/Security/Security_Advisories https://www.crestron.com/release_notes/airmedia_windows_installer_release_notes_5.5.1.84.pdf • CWE-427: Uncontrolled Search Path Element •
CVE-2022-34102
https://notcve.org/view.php?id=CVE-2022-34102
Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt. Se ha detectado una vulnerabilidad de control de acceso insuficiente en Crestron AirMedia Windows Application, versión 4.3.1.39, en la que un usuario puede pausar la desinstalación de un ejecutable para conseguir una solicitud de comando de nivel SYSTEM • https://www.crestron.com/Security/Security_Advisories https://www.crestron.com/release_notes/airmedia_windows_installer_release_notes_5.5.1.84.pdf •