Vulnerability CVE-2018-14417


Published: 2018-08-03   Modified: 2018-08-04

Description:
A command injection vulnerability was found in the web administration console in SoftNAS Cloud before 4.0.3. In particular, the snserv script did not sanitize the 'recentVersion' parameter from the snserv endpoint, allowing an unauthenticated attacker to execute arbitrary commands with root permissions.

See advisories in our WLB2 database:
Topic
Author
Date
High
SoftNAS Cloud OS Command Injection
CORE
27.07.2018

Type:

CWE-78

(Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') )

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://seclists.org/fulldisclosure/2018/Jul/85
http://www.securityfocus.com/bid/104914
https://docs.softnas.com/display/SD/Release+Notes
https://www.coresecurity.com/advisories/softnas-cloud-os-command-injection
https://www.exploit-db.com/exploits/45097/

Copyright 2024, cxsecurity.com

 

Back to Top