Vulnerability CVE-2008-0804


Published: 2008-02-18   Modified: 2012-02-12

Description:
PHP remote file inclusion vulnerability in usrgetform.html in Thecus N5200Pro NAS Server allows remote attackers to execute arbitrary PHP code via a URL in the name parameter.

Type:

CWE-94

(Improper Control of Generation of Code ('Code Injection'))

Vendor: Thecus
Product: N5200pro nas server control panel 

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.securityfocus.com/bid/27865
http://www.milw0rm.com/exploits/5150
http://secunia.com/advisories/29013

Related CVE
CVE-2013-5669
The Thecus NAS server N8800 with firmware 5.03.01 uses cleartext credentials for administrative authentication, which allows remote attackers to obtain sensitive information by sniffing the network.
CVE-2013-5667
The Thecus NAS server N8800 with firmware 5.03.01 allows remote attackers to execute arbitrary commands via a get_userid action with shell metacharacters in the username parameter.
CVE-2013-5668
The ADS/NT Support page on the Thecus NAS server N8800 with firmware 5.03.01 allows remote attackers to discover the administrator credentials by reading this page's cleartext content.

Copyright 2019, cxsecurity.com

 

Back to Top