Fanvil X210 Buffer Overflow Vulnerability Allowing Denial-of-Service and Command Execution
Vulnerability
A buffer overflow vulnerability has been identified in Fanvil X210 devices running firmware version 2.12.20. This vulnerability allows attackers to cause a denial-of-service condition or potentially execute arbitrary commands. The issue arises from the '/cgi-bin/webconfig?page=upload&action=submit' endpoint, where the POST parameter 'upload/dest' is not properly validated, enabling the injection of payloads that exceed the expected length.
Impact
Exploitation of this vulnerability leads to a denial-of-service condition and could allow for arbitrary command execution on the device.
Reproduction
To reproduce this vulnerability, send a POST request to the '/cgi-bin/webconfig?page=upload&action=submit' endpoint. Include a crafted 'upload/dest' parameter payload that is at least 704 characters long. The request can be made using a web browser or a tool like curl, and must be directed to a Fanvil X210 device running firmware version 2.12.20.
Remediation
Users can upgrade to Fanvil X210 firmware version 2.12.22.2 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.