Loading
PRTG Network Monitor before 18.3.44.2054 allows a remote authenticated attacker (with read-write privileges) to execute arbitrary code and OS commands with system privileges. When creating an HTTP Advanced Sensor, the user's input in the POST parameter 'proxyport_' is mishandled. The attacker can craft an HTTP request and override the 'writeresult' command-line parameter for HttpAdvancedSensor.exe to store arbitrary data in an arbitrary place on the file system. For example, the attacker can create an executable file in the \Custom Sensors\EXE directory and execute it by creating EXE/Script Sensor.
Use CWE-20, Paessler vendor hub and Prtg Network Monitor product page to widen CVE-2018-19204 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2023-31452, CVE-2023-32782 and CVE-2023-32781 for nearby disclosures in the same product family. Additional editorial context is available in Why “Low” and “Medium” CVEs Still Breach Networks.