CVE-2019-16305
Summary
| CVE | CVE-2019-16305 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-09-14 15:15:00 UTC |
| Updated | 2020-08-24 17:37:00 UTC |
| Description | In MobaXterm 11.1 and 12.1, the protocol handler is vulnerable to command injection. A crafted link can trigger a popup asking whether the user wants to run MobaXterm to handle the link. If accepted, another popup appears asking for further confirmation. If this is also accepted, command execution is achieved, as demonstrated by the MobaXterm://`calc` URI. |
Risk And Classification
Problem Types: CWE-77
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Microsoft | Windows | - | All | All | All |
| Operating System | Microsoft | Windows | - | All | All | All |
| Application | Mobatek | Mobaxterm | 11.1 | All | All | All |
| Application | Mobatek | Mobaxterm | 12.1 | All | All | All |
| Application | Mobatek | Mobaxterm | 11.1 | All | All | All |
| Application | Mobatek | Mobaxterm | 12.1 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| MobaXterm command execution in protocol handler | Infosec blog | MISC | freetom.github.io | Exploit |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.