TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center-Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure

Date:2020-08-27

Font-stze:

Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure

TVN ID	TVN-202006003
CVE ID	CVE-2020-17385
CVSS	7.5 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products	CelloOS v4.1.10 Build 20190922
Description	Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system.
Solution	Update to v4.1.12 Build 20200701 or higher.
Credit	Cyku Hong from DEVCORE (https://devco.re)
Public Date	2020-08-27