Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities found for CelloOS by Cellopoint
CVE-2026-12059 (GCVE-0-2026-12059)
Vulnerability from nvd – Published: 2026-06-12 06:30 – Updated: 2026-06-12 13:58
VLAI
Title
Cellopoint|CelloOS - Improper Access Control
Summary
The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers to bypass the enforced command restrictions and execute operating system commands outside the originally authorized scope.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1284 - Improper validation of specified quantity in input
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-10966-3258e-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-10965-3ce75-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cellopoint | CelloOS |
Affected:
0 , < 4.8.0 Build 20260316
(custom)
|
Date Public
2026-06-12 06:27
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T13:55:06.257796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T13:58:36.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CelloOS",
"vendor": "Cellopoint",
"versions": [
{
"lessThan": "4.8.0 Build 20260316",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-06-12T06:27:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers to bypass the enforced command restrictions and execute operating system commands outside the originally authorized scope."
}
],
"value": "The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers to bypass the enforced command restrictions and execute operating system commands outside the originally authorized scope."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284 Improper validation of specified quantity in input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T06:30:54.990Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-10966-3258e-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-10965-3ce75-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp;Systems connected to the vendor update service received vendor-side remediation on 2026-03-18. Systems that are offline, isolated, or otherwise unable to receive remote patches should be manually updated to any fixed release made available on or after 2026-03-18."
}
],
"value": "Systems connected to the vendor update service received vendor-side remediation on 2026-03-18. Systems that are offline, isolated, or otherwise unable to receive remote patches should be manually updated to any fixed release made available on or after 2026-03-18."
}
],
"source": {
"advisory": "TVN-202606002",
"discovery": "EXTERNAL"
},
"title": "Cellopoint\uff5cCelloOS - Improper Access Control",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2026-12059",
"datePublished": "2026-06-12T06:30:54.990Z",
"dateReserved": "2026-06-12T06:01:41.825Z",
"dateUpdated": "2026-06-12T13:58:36.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-17384 (GCVE-0-2020-17384)
Vulnerability from nvd – Published: 2020-08-25 07:35 – Updated: 2025-05-08 09:12
VLAI
Title
Cellopoint CelloOS - Remote Command Execution (RCE)
Summary
Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system.
Severity
7.2 (High)
CWE
- Remote Command Execution (RCE)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cellopoint | CelloOS |
Affected:
0 , ≤ v4.1.10 Build 20190922
(custom)
|
Date Public
2020-08-24 16:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:53:17.071Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CelloOS",
"vendor": "Cellopoint",
"versions": [
{
"lessThanOrEqual": "v4.1.10 Build 20190922",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-24T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system.\u003c/p\u003e"
}
],
"value": "Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Command Execution (RCE)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T09:12:49.923Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate to v4.1.10 Build 20200210 or higher.\u003c/p\u003e"
}
],
"value": "Update to v4.1.10 Build 20200210 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cellopoint CelloOS - Remote Command Execution (RCE)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-25T07:30:00.000Z",
"ID": "CVE-2020-17384",
"STATE": "PUBLIC",
"TITLE": "Cellopoint CelloOS - Remote Command Execution (RCE)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CelloOS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "v4.1.10 Build 20190922"
}
]
}
}
]
},
"vendor_name": "Cellopoint"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Command Execution (RCE)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to v4.1.10 Build 20200210 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-17384",
"datePublished": "2020-08-25T07:35:18.103Z",
"dateReserved": "2020-08-07T00:00:00.000Z",
"dateUpdated": "2025-05-08T09:12:49.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-17386 (GCVE-0-2020-17386)
Vulnerability from nvd – Published: 2020-08-25 07:35 – Updated: 2025-05-08 09:15
VLAI
Title
Cellopoint CelloOS - Server-Side Request Forgery (SSRF)
Summary
Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system.
Severity
6.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cellopoint | CelloOS |
Affected:
0 , ≤ v4.1.10 Build 20190922
(custom)
|
Date Public
2020-08-24 16:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:53:16.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CelloOS",
"vendor": "Cellopoint",
"versions": [
{
"lessThanOrEqual": "v4.1.10 Build 20190922",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-24T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system.\u003c/p\u003e"
}
],
"value": "Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T09:15:14.444Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate to v4.1.12 Build 20200701 or higher.\u003c/p\u003e"
}
],
"value": "Update to v4.1.12 Build 20200701 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cellopoint CelloOS - Server-Side Request Forgery (SSRF)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-25T07:30:00.000Z",
"ID": "CVE-2020-17386",
"STATE": "PUBLIC",
"TITLE": "Cellopoint CelloOS - Server-Side Request Forgery (SSRF)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CelloOS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "v4.1.10 Build 20190922"
}
]
}
}
]
},
"vendor_name": "Cellopoint"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to v4.1.12 Build 20200701 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-17386",
"datePublished": "2020-08-25T07:35:18.925Z",
"dateReserved": "2020-08-07T00:00:00.000Z",
"dateUpdated": "2025-05-08T09:15:14.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-17385 (GCVE-0-2020-17385)
Vulnerability from nvd – Published: 2020-08-25 07:35 – Updated: 2025-05-08 09:14
VLAI
Title
Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure
Summary
Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system.
Severity
7.5 (High)
CWE
- Unauthenticated Arbitrary File Disclosure
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cellopoint | CelloOS |
Affected:
0 , ≤ v4.1.10 Build 20190922
(custom)
|
Date Public
2020-08-24 16:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:53:17.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CelloOS",
"vendor": "Cellopoint",
"versions": [
{
"lessThanOrEqual": "v4.1.10 Build 20190922",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-24T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system.\u003c/p\u003e"
}
],
"value": "Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unauthenticated Arbitrary File Disclosure",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T09:14:05.045Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate to v4.1.12 Build 20200701 or higher.\u003c/p\u003e"
}
],
"value": "Update to v4.1.12 Build 20200701 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-25T07:30:00.000Z",
"ID": "CVE-2020-17385",
"STATE": "PUBLIC",
"TITLE": "Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CelloOS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "v4.1.10 Build 20190922"
}
]
}
}
]
},
"vendor_name": "Cellopoint"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unauthenticated Arbitrary File Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to v4.1.12 Build 20200701 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-17385",
"datePublished": "2020-08-25T07:35:18.510Z",
"dateReserved": "2020-08-07T00:00:00.000Z",
"dateUpdated": "2025-05-08T09:14:05.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-12059 (GCVE-0-2026-12059)
Vulnerability from cvelistv5 – Published: 2026-06-12 06:30 – Updated: 2026-06-12 13:58
VLAI
Title
Cellopoint|CelloOS - Improper Access Control
Summary
The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers to bypass the enforced command restrictions and execute operating system commands outside the originally authorized scope.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1284 - Improper validation of specified quantity in input
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-10966-3258e-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-10965-3ce75-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cellopoint | CelloOS |
Affected:
0 , < 4.8.0 Build 20260316
(custom)
|
Date Public
2026-06-12 06:27
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T13:55:06.257796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T13:58:36.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CelloOS",
"vendor": "Cellopoint",
"versions": [
{
"lessThan": "4.8.0 Build 20260316",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-06-12T06:27:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers to bypass the enforced command restrictions and execute operating system commands outside the originally authorized scope."
}
],
"value": "The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers to bypass the enforced command restrictions and execute operating system commands outside the originally authorized scope."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284 Improper validation of specified quantity in input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T06:30:54.990Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-10966-3258e-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-10965-3ce75-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u0026nbsp;Systems connected to the vendor update service received vendor-side remediation on 2026-03-18. Systems that are offline, isolated, or otherwise unable to receive remote patches should be manually updated to any fixed release made available on or after 2026-03-18."
}
],
"value": "Systems connected to the vendor update service received vendor-side remediation on 2026-03-18. Systems that are offline, isolated, or otherwise unable to receive remote patches should be manually updated to any fixed release made available on or after 2026-03-18."
}
],
"source": {
"advisory": "TVN-202606002",
"discovery": "EXTERNAL"
},
"title": "Cellopoint\uff5cCelloOS - Improper Access Control",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2026-12059",
"datePublished": "2026-06-12T06:30:54.990Z",
"dateReserved": "2026-06-12T06:01:41.825Z",
"dateUpdated": "2026-06-12T13:58:36.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-17386 (GCVE-0-2020-17386)
Vulnerability from cvelistv5 – Published: 2020-08-25 07:35 – Updated: 2025-05-08 09:15
VLAI
Title
Cellopoint CelloOS - Server-Side Request Forgery (SSRF)
Summary
Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system.
Severity
6.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cellopoint | CelloOS |
Affected:
0 , ≤ v4.1.10 Build 20190922
(custom)
|
Date Public
2020-08-24 16:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:53:16.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CelloOS",
"vendor": "Cellopoint",
"versions": [
{
"lessThanOrEqual": "v4.1.10 Build 20190922",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-24T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system.\u003c/p\u003e"
}
],
"value": "Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T09:15:14.444Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate to v4.1.12 Build 20200701 or higher.\u003c/p\u003e"
}
],
"value": "Update to v4.1.12 Build 20200701 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cellopoint CelloOS - Server-Side Request Forgery (SSRF)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-25T07:30:00.000Z",
"ID": "CVE-2020-17386",
"STATE": "PUBLIC",
"TITLE": "Cellopoint CelloOS - Server-Side Request Forgery (SSRF)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CelloOS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "v4.1.10 Build 20190922"
}
]
}
}
]
},
"vendor_name": "Cellopoint"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3847-c62ca-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to v4.1.12 Build 20200701 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-17386",
"datePublished": "2020-08-25T07:35:18.925Z",
"dateReserved": "2020-08-07T00:00:00.000Z",
"dateUpdated": "2025-05-08T09:15:14.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-17385 (GCVE-0-2020-17385)
Vulnerability from cvelistv5 – Published: 2020-08-25 07:35 – Updated: 2025-05-08 09:14
VLAI
Title
Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure
Summary
Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system.
Severity
7.5 (High)
CWE
- Unauthenticated Arbitrary File Disclosure
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cellopoint | CelloOS |
Affected:
0 , ≤ v4.1.10 Build 20190922
(custom)
|
Date Public
2020-08-24 16:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:53:17.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CelloOS",
"vendor": "Cellopoint",
"versions": [
{
"lessThanOrEqual": "v4.1.10 Build 20190922",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-24T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system.\u003c/p\u003e"
}
],
"value": "Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unauthenticated Arbitrary File Disclosure",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T09:14:05.045Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate to v4.1.12 Build 20200701 or higher.\u003c/p\u003e"
}
],
"value": "Update to v4.1.12 Build 20200701 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-25T07:30:00.000Z",
"ID": "CVE-2020-17385",
"STATE": "PUBLIC",
"TITLE": "Cellopoint CelloOS - Unauthenticated Arbitrary File Disclosure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CelloOS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "v4.1.10 Build 20190922"
}
]
}
}
]
},
"vendor_name": "Cellopoint"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly, which allows unauthorized user to launch Path Traversal attack and access arbitrate file on the system."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unauthenticated Arbitrary File Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3846-7790c-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to v4.1.12 Build 20200701 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-17385",
"datePublished": "2020-08-25T07:35:18.510Z",
"dateReserved": "2020-08-07T00:00:00.000Z",
"dateUpdated": "2025-05-08T09:14:05.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-17384 (GCVE-0-2020-17384)
Vulnerability from cvelistv5 – Published: 2020-08-25 07:35 – Updated: 2025-05-08 09:12
VLAI
Title
Cellopoint CelloOS - Remote Command Execution (RCE)
Summary
Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system.
Severity
7.2 (High)
CWE
- Remote Command Execution (RCE)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cellopoint | CelloOS |
Affected:
0 , ≤ v4.1.10 Build 20190922
(custom)
|
Date Public
2020-08-24 16:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:53:17.071Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CelloOS",
"vendor": "Cellopoint",
"versions": [
{
"lessThanOrEqual": "v4.1.10 Build 20190922",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-24T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system.\u003c/p\u003e"
}
],
"value": "Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Command Execution (RCE)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T09:12:49.923Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate to v4.1.10 Build 20200210 or higher.\u003c/p\u003e"
}
],
"value": "Update to v4.1.10 Build 20200210 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cellopoint CelloOS - Remote Command Execution (RCE)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-25T07:30:00.000Z",
"ID": "CVE-2020-17384",
"STATE": "PUBLIC",
"TITLE": "Cellopoint CelloOS - Remote Command Execution (RCE)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CelloOS",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "v4.1.10 Build 20190922"
}
]
}
}
]
},
"vendor_name": "Cellopoint"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Command Execution (RCE)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3845-be6bf-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to v4.1.10 Build 20200210 or higher."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-17384",
"datePublished": "2020-08-25T07:35:18.103Z",
"dateReserved": "2020-08-07T00:00:00.000Z",
"dateUpdated": "2025-05-08T09:12:49.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}