Details of VAR-201811-0163

ID

VAR-201811-0163

CVE

CVE-2018-13307

TITLE

TOTOLINK A3002RU Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-012449

DESCRIPTION

System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable. TOTOLINK A3002RU Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TOTOLINKA3002RU is a wireless router product of TOTOLINK. A command injection vulnerability exists in fromNtp in the TOTOLINKA3002RU 1.0.8 release

Trust: 2.34

sources: NVD: CVE-2018-13307 // JVNDB: JVNDB-2018-012449 // CNVD: CNVD-2018-26643 // VULHUB: VHN-123353 // VULMON: CVE-2018-13307

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-26643

AFFECTED PRODUCTS

vendor:

totolink

model:

a3002ru

scope:

version:

1.0.8

Trust: 3.0

sources: CNVD: CNVD-2018-26643 // JVNDB: JVNDB-2018-012449 // CNNVD: CNNVD-201811-789 // NVD: CVE-2018-13307

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-13307
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-13307
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2018-26643
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201811-789
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-123353
value:	HIGH
Trust: 0.1
VULMON:	CVE-2018-13307
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-13307
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2018-26643
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-123353
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-13307
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-26643 // VULHUB: VHN-123353 // VULMON: CVE-2018-13307 // JVNDB: JVNDB-2018-012449 // CNNVD: CNNVD-201811-789 // NVD: CVE-2018-13307

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	CWE-77	Trust: 0.9

sources: VULHUB: VHN-123353 // JVNDB: JVNDB-2018-012449 // NVD: CVE-2018-13307

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201811-789

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201811-789

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-012449

PATCH

title:

A3002RU

url:

http://totolink.net/home/menu/newstpl/menu_newstpl/products/id/163.html?jdfwkey=ylf0k

Trust: 0.8

sources: JVNDB: JVNDB-2018-012449

EXTERNAL IDS

db:	NVD	id:	CVE-2018-13307	Trust: 3.2
db:	JVNDB	id:	JVNDB-2018-012449	Trust: 0.8
db:	CNNVD	id:	CNNVD-201811-789	Trust: 0.7
db:	CNVD	id:	CNVD-2018-26643	Trust: 0.6
db:	VULHUB	id:	VHN-123353	Trust: 0.1
db:	VULMON	id:	CVE-2018-13307	Trust: 0.1

sources: CNVD: CNVD-2018-26643 // VULHUB: VHN-123353 // VULMON: CVE-2018-13307 // JVNDB: JVNDB-2018-012449 // CNNVD: CNNVD-201811-789 // NVD: CVE-2018-13307

REFERENCES

url:	https://blog.securityevaluators.com/new-vulnerabilities-in-totolink-a3002ru-d6f42a081154	Trust: 2.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-13307	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-13307	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2018-26643 // VULHUB: VHN-123353 // VULMON: CVE-2018-13307 // JVNDB: JVNDB-2018-012449 // CNNVD: CNNVD-201811-789 // NVD: CVE-2018-13307

SOURCES

db:	CNVD	id:	CNVD-2018-26643
db:	VULHUB	id:	VHN-123353
db:	VULMON	id:	CVE-2018-13307
db:	JVNDB	id:	JVNDB-2018-012449
db:	CNNVD	id:	CNNVD-201811-789
db:	NVD	id:	CVE-2018-13307

LAST UPDATE DATE

2024-11-23T21:38:02.892000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-26643	date:	2018-12-26T00:00:00
db:	VULHUB	id:	VHN-123353	date:	2019-10-03T00:00:00
db:	VULMON	id:	CVE-2018-13307	date:	2019-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-012449	date:	2019-02-04T00:00:00
db:	CNNVD	id:	CNNVD-201811-789	date:	2022-03-24T00:00:00
db:	NVD	id:	CVE-2018-13307	date:	2024-11-21T03:46:49.630

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-26643	date:	2018-12-26T00:00:00
db:	VULHUB	id:	VHN-123353	date:	2018-11-27T00:00:00
db:	VULMON	id:	CVE-2018-13307	date:	2018-11-27T00:00:00
db:	JVNDB	id:	JVNDB-2018-012449	date:	2019-02-04T00:00:00
db:	CNNVD	id:	CNNVD-201811-789	date:	2018-11-28T00:00:00
db:	NVD	id:	CVE-2018-13307	date:	2018-11-27T20:29:00.457