Vulnerability CVE-2015-2874


Published: 2015-12-31

Description:
Seagate GoFlex Satellite, Seagate Wireless Mobile Storage, Seagate Wireless Plus Mobile Storage, and LaCie FUEL devices with firmware before 3.4.1.105 have a default password of root for the root account, which allows remote attackers to obtain administrative access via a TELNET session.

See advisories in our WLB2 database:
Topic
Author
Date
High
Seagate GoFlex Satellite Remote Telnet Default Password
Matt Bergin
19.12.2015

Vendor: Lacie
Product: Lac9000464u firmware 
Version: 2.3.0.014;
Product: Lac9000436u firmware 
Version: 2.3.0.014;
Vendor: Seagate
Product: Goflex sattelite 
Product: Wireless plus mobile storage 
Product: Wireless mobile storage 

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
https://www.kb.cert.org/vuls/id/GWAN-A26L3F
https://www.kb.cert.org/vuls/id/GWAN-9ZGTUH
https://www.kb.cert.org/vuls/id/903500

Related CVE
CVE-2018-12304
Cross-site scripting in Application Manager in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via multiple application metadata fields: Short Description, Publisher Name, Publisher Contact, or Website URL.
CVE-2018-12303
Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via directory names.
CVE-2018-12302
Missing HTTPOnly flag on session cookies in the Seagate NAS OS version 4.3.15.1 web application allows attackers to steal session tokens via cross-site scripting.
CVE-2018-12301
Unvalidated URL in Download Manager in Seagate NAS OS version 4.3.15.1 allows attackers to access the loopback interface via a Download URL of 127.0.0.1 or localhost.
CVE-2018-12300
Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter.
CVE-2018-12299
Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via uploaded file names.
CVE-2018-12298
Directory Traversal in filebrowser in Seagate NAS OS 4.3.15.1 allows attackers to read files within the application's container via a URL path.
CVE-2018-12297
Cross-site scripting in API error pages in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via URL path names.

Copyright 2019, cxsecurity.com

 

Back to Top