Sign-up

ID

VAR-201805-0852


CVE

CVE-2018-11345


TITLE

ASUSTOR AS6202T Vulnerable to unlimited upload of dangerous types of files

Trust: 0.8

sources: JVNDB: JVNDB-2018-005454

DESCRIPTION

An unrestricted file upload vulnerability in upload.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data via the POST parameter filename. This can be used to place attacker controlled code on the file system that can then be executed. Further, the filename parameter is vulnerable to path traversal and allows the attacker to place the file anywhere on the system. ASUSTOR AS6202T Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUSTOR AS6202T ADM is a set of ASUSTOR NAS storage device operating system developed by ASUSTOR. The upload.cgi file in ASUSTOR AS6202T ADM 3.1.0.RFQ3 has a security vulnerability

Trust: 1.71

sources: NVD: CVE-2018-11345 // JVNDB: JVNDB-2018-005454 // VULHUB: VHN-121195

AFFECTED PRODUCTS

vendor:asustormodel:as6202tscope:lteversion:adm_3.1.0.rfq3

Trust: 1.0

vendor:asustormodel:as6202tscope:eqversion:adm 3.1.0.rfq3

Trust: 0.8

vendor:asustormodel:as6202tscope:eqversion:adm_3.1.0.rfq3

Trust: 0.6

sources: JVNDB: JVNDB-2018-005454 // CNNVD: CNNVD-201805-755 // NVD: CVE-2018-11345

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-11345
value: HIGH

Trust: 1.0

NVD: CVE-2018-11345
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201805-755
value: HIGH

Trust: 0.6

VULHUB: VHN-121195
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-11345
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-121195
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-11345
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-121195 // JVNDB: JVNDB-2018-005454 // CNNVD: CNNVD-201805-755 // NVD: CVE-2018-11345

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.9

sources: VULHUB: VHN-121195 // JVNDB: JVNDB-2018-005454 // NVD: CVE-2018-11345

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201805-755

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201805-755

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-005454

PATCH
title:AS6202Turl:https://www.asustor.com/ja/product/AS6202T?p_id=40
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-005454

EXTERNAL IDS
db:NVDid:CVE-2018-11345
Trust: 2.5
db:JVNDBid:JVNDB-2018-005454
Trust: 0.8
db:CNNVDid:CNNVD-201805-755
Trust: 0.7
db:VULHUBid:VHN-121195
Trust: 0.1
sources:
            
            
            VULHUB: VHN-121195 // 
            
            
            
            JVNDB: JVNDB-2018-005454 // 
            
            
            
            CNNVD: CNNVD-201805-755 // 
            
            
            
            NVD: CVE-2018-11345

REFERENCES
url:https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation
Trust: 2.5
url:http://seclists.org/fulldisclosure/2018/may/2
Trust: 1.7
url:https://github.com/mefulton/asustorexploit
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11345
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-11345
Trust: 0.8
sources:
            
            
            VULHUB: VHN-121195 // 
            
            
            
            JVNDB: JVNDB-2018-005454 // 
            
            
            
            CNNVD: CNNVD-201805-755 // 
            
            
            
            NVD: CVE-2018-11345

SOURCES
db:VULHUBid:VHN-121195
db:JVNDBid:JVNDB-2018-005454
db:CNNVDid:CNNVD-201805-755
db:NVDid:CVE-2018-11345

LAST UPDATE DATE
2024-11-23T23:05:06.798000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-121195date:2019-03-29T00:00:00
db:JVNDBid:JVNDB-2018-005454date:2018-07-18T00:00:00
db:CNNVDid:CNNVD-201805-755date:2019-04-03T00:00:00
db:NVDid:CVE-2018-11345date:2024-11-21T03:43:10.893

SOURCES RELEASE DATE
db:VULHUBid:VHN-121195date:2018-05-22T00:00:00
db:JVNDBid:JVNDB-2018-005454date:2018-07-18T00:00:00
db:CNNVDid:CNNVD-201805-755date:2018-05-23T00:00:00
db:NVDid:CVE-2018-11345date:2018-05-22T01:29:00.777