CVE-2018-18471

/api/2.0/rest/aggregator/xml in Axentra firmware, used by NETGEAR Stora, Seagate GoFlex Home, and MEDION LifeCloud, has an XXE vulnerability that can be chained with an SSRF bug to gain remote command execution as root. It can be triggered by anyone who knows the IP address of the affected device.
References
Link Resource
http://www.axentra.com/en/ Vendor Advisory URL Repurposed
https://www.wizcase.com/blog/hack-2018/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:axentra:hipserv:-:*:*:*:*:*:*:*
OR cpe:2.3:h:medion:lifecloud:-:*:*:*:*:*:*:*
cpe:2.3:h:netgear:stora:-:*:*:*:*:*:*:*
cpe:2.3:h:seagate:goflex_home:-:*:*:*:*:*:*:*

History

14 Feb 2024, 01:17

Type Values Removed Values Added
References () http://www.axentra.com/en/ - Vendor Advisory () http://www.axentra.com/en/ - Vendor Advisory, URL Repurposed

Information

Published : 2019-06-19 16:15

Updated : 2024-02-14 01:17


NVD link : CVE-2018-18471

Mitre link : CVE-2018-18471

CVE.ORG link : CVE-2018-18471


JSON object : View

Products Affected

netgear

  • stora

seagate

  • goflex_home

axentra

  • hipserv

medion

  • lifecloud
CWE
CWE-611

Improper Restriction of XML External Entity Reference