Vulnerability CVE-2014-1982


Published: 2014-03-31

Description:
The administrative interface in Allied Telesis AT-RG634A ADSL Broadband router 3.3+, iMG624A firmware 3.5, iMG616LH firmware 2.4, and iMG646BD firmware 3.5 allows remote attackers to gain privileges and execute arbitrary commands via a direct request to cli.html.

See advisories in our WLB2 database:
Topic
Author
Date
High
Allied Telesis AT-RG634A ADSL router unauthenticated webshell
Sebastian Muniz
26.03.2014

Type:

CWE-78

(Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') )

Vendor: Alliedtelesis
Product: Img646bd firmware 
Version: 3.5;
Product: Img624a firmware 
Version: 3.5;
Product: At-rg634a firmware 
Version: 3.3+;
Product: At-rg634a 
Product: Img624a 
Product: Img616lh 
Product: Img646bd 
Product: Img616lh firmware 
Version: +2.4;

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.exploit-db.com/exploits/32545
http://seclists.org/fulldisclosure/2014/Mar/340

Copyright 2019, cxsecurity.com

 

Back to Top