CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2020-25859
https://notcve.org/view.php?id=CVE-2020-25859
The QCMAP_CLI utility in the Qualcomm QCMAP software suite prior to versions released in October 2020 uses a system() call without validating the input, while handling a SetGatewayUrl() request. A local attacker with shell access can pass shell metacharacters and run arbitrary commands. If QCMAP_CLI can be run via sudo or setuid, this also allows elevating privileges to root. This version of QCMAP is used in many kinds of networking devices, primarily mobile hotspots and LTE routers. La utilidad QCMAP_CLI en la suite de software Qualcomm QCMAP anteriores a las versiones publicadas en octubre de 2020 usa una llamada system() sin comprobar la entrada, mientras maneja una petición de SetGatewayUrl(). • http://vdoo.com/blog/qualcomm-qcmap-vulnerabilities • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •