Full title: Schneider Electric Pelco Sarix/Spectra Cameras Root Remote Code Execution Vulnerability 
Category: web applications
Platform: hardware
Pelco IP cameras suffer from a code execution vulnerability. The affected cameras suffer from authenticated remote code execution vulnerability. The POST parameter 'enable_leds' located in the update() function called via the GeneralSetupController.php script is not properly sanitised before being used in writeLedConfig() function to enable led state to on or off. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges using a specially crafted request and escape sequence to system shell.

# 0day.today @ http://0day.today/