ID
VAR-201807-0387
CVE
CVE-2018-14010
TITLE
plural Xiaomi In product OS Command injection vulnerability
Trust: 0.8
DESCRIPTION
OS command injection in the guest Wi-Fi settings feature in /cgi-bin/luci on Xiaomi R3P before 2.14.5, R3C before 2.12.15, R3 before 2.22.15, and R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data. plural Xiaomi The product includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Xiaomi routers R3D / R3P / R3C / R3 are all router products. There is a remote arbitrary command execution vulnerability in the wi-fi setting function of several Xiaomi routers. An attacker could use this vulnerability to execute arbitrary code remotely
Trust: 2.25
IOT TAXONOMY
| category: | ['Network device'] | sub_category: | - | Trust: 0.6 |
| category: | ['network device'] | sub_category: | router | Trust: 0.1 |
AFFECTED PRODUCTS
| vendor: | mi | model: | xiaomi r3p | scope: | lt | version: | 2.14.5 | Trust: 1.0 |
| vendor: | mi | model: | xiaomi r3c | scope: | lt | version: | 2.12.15 | Trust: 1.0 |
| vendor: | mi | model: | xiaomi r3 | scope: | lt | version: | 2.22.15 | Trust: 1.0 |
| vendor: | mi | model: | xiaomi r3d | scope: | lt | version: | 2.26.4 | Trust: 1.0 |
| vendor: | xiaomi | model: | r3 | scope: | lt | version: | 2.22.15 | Trust: 0.8 |
| vendor: | xiaomi | model: | r3c | scope: | lt | version: | 2.12.15 | Trust: 0.8 |
| vendor: | xiaomi | model: | r3d | scope: | lt | version: | 2.26.4 | Trust: 0.8 |
| vendor: | xiaomi | model: | r3p | scope: | lt | version: | 2.14.5 | Trust: 0.8 |
| vendor: | - | model: | xiaomi technology co. ltd.xiaomi router r3 | scope: | lt | version: | 2.22.15 | Trust: 0.6 |
| vendor: | - | model: | xiaomi technology co. ltd.xiaomi router r3c | scope: | lt | version: | 2.12.15 | Trust: 0.6 |
| vendor: | xiaomi | model: | router r3d | scope: | lt | version: | 2.26.4 | Trust: 0.6 |
| vendor: | xiaomi | model: | router r3p | scope: | lt | version: | 2.14.5 | Trust: 0.6 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-78 | Trust: 1.8 |
THREAT TYPE
remote
Trust: 0.6
TYPE
operating system commend injection
Trust: 0.6
CONFIGURATIONS
PATCH
| title: | Top Page | url: | https://www.mi.com/en/index.html | Trust: 0.8 |
| title: | A remote arbitrary command execution vulnerability exists in several Xiaomi smart routers | url: | https://www.cnvd.org.cn/patchInfo/show/120311 | Trust: 0.6 |
| title: | Multiple Xiaomi Product operating system command injection vulnerability fixes | url: | http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84055 | Trust: 0.6 |
| title: | router | url: | https://github.com/cc-crack/router | Trust: 0.1 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2018-14010 | Trust: 3.2 |
| db: | CNVD | id: | CNVD-2018-04521 | Trust: 3.1 |
| db: | JVNDB | id: | JVNDB-2018-008091 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-201807-1155 | Trust: 0.6 |
| db: | OTHER | id: | NONE | Trust: 0.1 |
| db: | VULMON | id: | CVE-2018-14010 | Trust: 0.1 |
REFERENCES
| url: | https://github.com/cc-crack/router/blob/master/cnvd-2018-04521.py | Trust: 2.5 |
| url: | http://www.cnvd.org.cn/flaw/show/cnvd-2018-04521 | Trust: 1.7 |
| url: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14010 | Trust: 0.8 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-14010 | Trust: 0.8 |
| url: | https://ieeexplore.ieee.org/abstract/document/10769424 | Trust: 0.1 |
| url: | https://cwe.mitre.org/data/definitions/78.html | Trust: 0.1 |
| url: | https://nvd.nist.gov | Trust: 0.1 |
| url: | https://github.com/cc-crack/router | Trust: 0.1 |
SOURCES
| db: | OTHER | id: | - |
| db: | CNVD | id: | CNVD-2018-04521 |
| db: | VULMON | id: | CVE-2018-14010 |
| db: | JVNDB | id: | JVNDB-2018-008091 |
| db: | CNNVD | id: | CNNVD-201807-1155 |
| db: | NVD | id: | CVE-2018-14010 |
LAST UPDATE DATE
2025-01-30T19:29:55.434000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2018-04521 | date: | 2018-03-12T00:00:00 |
| db: | VULMON | id: | CVE-2018-14010 | date: | 2018-09-12T00:00:00 |
| db: | JVNDB | id: | JVNDB-2018-008091 | date: | 2018-10-09T00:00:00 |
| db: | CNNVD | id: | CNNVD-201807-1155 | date: | 2018-08-13T00:00:00 |
| db: | NVD | id: | CVE-2018-14010 | date: | 2024-11-21T03:48:26.510 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2018-04521 | date: | 2018-04-23T00:00:00 |
| db: | VULMON | id: | CVE-2018-14010 | date: | 2018-07-15T00:00:00 |
| db: | JVNDB | id: | JVNDB-2018-008091 | date: | 2018-10-09T00:00:00 |
| db: | CNNVD | id: | CNNVD-201807-1155 | date: | 2018-07-14T00:00:00 |
| db: | NVD | id: | CVE-2018-14010 | date: | 2018-07-15T03:29:00.227 |