go to Content

TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center



Cellopoint CelloOS - Remote Command Execution (RCE)

TVN ID TVN-202006002
Public Date 2020-08-27
Affected Products CelloOS v4.1.10 Build 20190922
Description Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system.
CVE ID CVE-2020-17384
Solution Update to v4.1.10 Build 20200210 or higher.
Credit Cyku Hong from DEVCORE (https://devco.re)