CVE-2018-7539

On Appear TV XC5000 and XC5100 devices with firmware 3.26.217, it is possible to read OS files with a specially crafted HTTP request (such as GET /../../../../../../../../../../../../etc/passwd) to the web server (fuzzd/0.1.1) running the Maintenance Center on port TCP/8088. This can lead to full compromise of the device.
References
Link Resource
http://seclists.org/fulldisclosure/2018/Apr/34 Exploit Mitigation Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:appeartv:xc5000_firmware:3.26.217:*:*:*:*:*:*:*
cpe:2.3:h:appeartv:xc5000:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:appeartv:xc5100_firmware:3.26.217:*:*:*:*:*:*:*
cpe:2.3:h:appeartv:xc5100:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-04-17 20:29

Updated : 2023-12-10 12:30


NVD link : CVE-2018-7539

Mitre link : CVE-2018-7539

CVE.ORG link : CVE-2018-7539


JSON object : View

Products Affected

appeartv

  • xc5100_firmware
  • xc5000_firmware
  • xc5100
  • xc5000
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')