19 Sep 2018
CVE-2018-17208 - CVE Vulnerability
Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi-bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). This occurs because shell metacharacters in the query string are mishandled by ShellExecute, as demonstrated by the zbtest.cgi?cmd=level&level= substring. This can also be exploited via CSRF. (CVSS:0.0) (Last Update:2018-09-19)
Vulnerability Details : Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi-bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). This occurs because shell metacharacters in the query string are mishandled by ShellExecute, as demonstrated by the zbtest.cgi?cmd=level&level= substring. This can also be exploited via CSRF. Publish Date : 2018-09-19 Last Update Date : 2018-09-19 - CVSS Scores & Vulnerability Types
- Products Affected By CVE-2018-17208
- References For CVE-2018-17208
| ||||||||||||||||||||||||||||||||||||||||||||||
- Metasploit Modules Related To CVE-2018-17208There are not any metasploit modules related to this CVE entry (Please visit www.metasploit.com for more information) |