CVE-2018-17208

{"id": "CVE-2018-17208", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2018-09-19T17:29:00.257", "references": [{"url": "https://langkjaer.com/velop.html", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi-bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). This occurs because shell metacharacters in the query string are mishandled by ShellExecute, as demonstrated by the zbtest.cgi?cmd=level&level= substring. This can also be exploited via CSRF."}, {"lang": "es", "value": "Los dispositivos de Linksys Velop 1.1.2.187020 permite la inyecci\u00f3n de comandos no autenticada, proporcionando a un atacante con acceso root total mediante cgi-bin/zbtest.cgi o cgi-bin/zbtest2.cgi (scripts que se pueden descubrir con binwalk en el firmware, pero no son visibles en la interfaz web). Esto ocurre porque los metacaracteres shell en la cadena de consulta se gestionan de manera incorrecta por ShellExecute, tal y como queda demostrado con la subcadena zbtest.cgi?cmd=levellevel=. Esto tambi\u00e9n se puede explotar mediante Cross-Site Request Forgery (CSRF)."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linksys:velop_firmware:1.1.2.187020:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9A9C279E-F31A-42F4-989A-F5EF9D3384D3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:linksys:velop:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "864C4FC6-B81E-40A1-A5C3-2BAC9A8F2C06"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}