CVE-2018-5347

Published: Jan 12, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Seagate Media Server in Seagate Personal Cloud has unauthenticated command injection in the uploadTelemetry and getLogs functions in views.py because .psp URLs are handled by the fastcgi.server component and shell metacharacters are mishandled.

Affected (1)

Products: Seagate: Personal Cloud Firmware

Seagate

1 product

Personal Cloud Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Seagate Personal Cloud Firmware	All versions

Running on/with	Platform Versions
Seagate Personal Cloud	All versions

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

https://blogs.securiteam.com/index.php/archives/3548

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.exploit-db.com/exploits/43659/

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://blogs.securiteam.com/index.php/archives/3548

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.exploit-db.com/exploits/43659/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

Timeline

No history available yet.