CVE-2018-9075
8.1
Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.2 / Impact: 5.9
Source: NVD
Description
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when joining a PersonalCloud setup, an attacker can craft a command injection payload using backtick "``" characters in the client:password parameter. As a result, arbitrary commands may be executed as the root user. The attack requires a value __c and iomega parameter.
Affected (1)
Products: Lenovo: Lenovoemc Firmware
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Up to 4.1.402.34662 |
| Running on/with | Platform Versions |
|---|---|
Lenovo Iomega Ez Media & Backup Center | All versions |
Lenovo Iomega Storcenter Ix2 | All versions |
Lenovo Iomega Storcenter Ix2 Dl | All versions |
Lenovo Iomega Storcenter Ix4 300d | All versions |
Lenovo Iomega Storcenter Px12 400r | All versions |
Lenovo Iomega Storcenter Px12 450r | All versions |
Lenovo Iomega Storcenter Px2 300d | All versions |
Lenovo Iomega Storcenter Px4 300d | All versions |
Lenovo Iomega Storcenter Px4 300r | All versions |
Lenovo Iomega Storcenter Px6 300d | All versions |
Lenovo Lenovo Ez Media & Backup Center | All versions |
Lenovo Lenovo Ix2 | All versions |
Lenovo Lenovo Ix4 300d | All versions |
Lenovo Lenovoemc Px12 400r | All versions |
Lenovo Lenovoemc Px12 450r | All versions |
Lenovo Lenovoemc Px2 300d | All versions |
Lenovo Lenovoemc Px4 300d | All versions |
Lenovo Lenovoemc Px4 300r | All versions |
Lenovo Lenovoemc Px4 400d | All versions |
Lenovo Lenovoemc Px4 400r | All versions |
Lenovo Lenovoemc Px6 300d | All versions |
References (2)
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.