Details of VAR-201904-0618

ID

VAR-201904-0618

CVE

CVE-2018-17990

TITLE

D-Link DSL-3782 In the device OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-015149

DESCRIPTION

An issue was discovered on D-Link DSL-3782 devices with firmware 1.01. An OS command injection vulnerability in Acl.asp allows a remote authenticated attacker to execute arbitrary OS commands via the ScrIPaddrEndTXT parameter. D-Link DSL-3782 The device includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. D-LinkDSL-3782 is a wireless router from D-Link Corporation of Taiwan, China. An operating system command injection vulnerability exists in D-LinkDSL-3782 using firmware version 1.01. This vulnerability is caused by external input data constructing operating system executable commands. The network system or product does not properly filter special characters, commands, etc

Trust: 2.25

sources: NVD: CVE-2018-17990 // JVNDB: JVNDB-2018-015149 // CNVD: CNVD-2019-14084 // VULHUB: VHN-128505

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-14084

AFFECTED PRODUCTS

vendor:	d link	model:	dsl-3782	scope:	eq	version:	1.01	Trust: 1.4
vendor:	dlink	model:	dsl-3782	scope:	eq	version:	1.01	Trust: 1.0

sources: CNVD: CNVD-2019-14084 // JVNDB: JVNDB-2018-015149 // NVD: CVE-2018-17990

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-17990
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-17990
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-14084
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201904-038
value:	HIGH
Trust: 0.6
VULHUB:	VHN-128505
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-17990
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-14084
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-128505
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-17990
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-14084 // VULHUB: VHN-128505 // JVNDB: JVNDB-2018-015149 // CNNVD: CNNVD-201904-038 // NVD: CVE-2018-17990

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.9

sources: VULHUB: VHN-128505 // JVNDB: JVNDB-2018-015149 // NVD: CVE-2018-17990

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-038

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201904-038

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-015149

PATCH

title:

DSL-3782

url:

https://eu.dlink.com/pt/pt/products/dsl-3782-wireless-ac1200-dual-band-vdsl-adsl-modem-router

Trust: 0.8

sources: JVNDB: JVNDB-2018-015149

EXTERNAL IDS

db:	NVD	id:	CVE-2018-17990	Trust: 3.1
db:	JVNDB	id:	JVNDB-2018-015149	Trust: 0.8
db:	CNNVD	id:	CNNVD-201904-038	Trust: 0.7
db:	CNVD	id:	CNVD-2019-14084	Trust: 0.6
db:	NSFOCUS	id:	43093	Trust: 0.6
db:	VULHUB	id:	VHN-128505	Trust: 0.1

sources: CNVD: CNVD-2019-14084 // VULHUB: VHN-128505 // JVNDB: JVNDB-2018-015149 // CNNVD: CNNVD-201904-038 // NVD: CVE-2018-17990

REFERENCES

url:	https://c0mix.github.io/2019/d-link-dir-3782-secadvisory-os-command-injection-and-stored-xss/	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17990	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-17990	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/43093	Trust: 0.6

sources: CNVD: CNVD-2019-14084 // VULHUB: VHN-128505 // JVNDB: JVNDB-2018-015149 // CNNVD: CNNVD-201904-038 // NVD: CVE-2018-17990

CREDITS

vendor ??

Trust: 0.6

sources: CNNVD: CNNVD-201904-038

SOURCES

db:	CNVD	id:	CNVD-2019-14084
db:	VULHUB	id:	VHN-128505
db:	JVNDB	id:	JVNDB-2018-015149
db:	CNNVD	id:	CNNVD-201904-038
db:	NVD	id:	CVE-2018-17990

LAST UPDATE DATE

2024-11-23T23:01:51.332000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-14084	date:	2019-05-14T00:00:00
db:	VULHUB	id:	VHN-128505	date:	2019-04-02T00:00:00
db:	JVNDB	id:	JVNDB-2018-015149	date:	2019-05-07T00:00:00
db:	CNNVD	id:	CNNVD-201904-038	date:	2019-04-04T00:00:00
db:	NVD	id:	CVE-2018-17990	date:	2024-11-21T03:55:20.697

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-14084	date:	2019-05-14T00:00:00
db:	VULHUB	id:	VHN-128505	date:	2019-04-01T00:00:00
db:	JVNDB	id:	JVNDB-2018-015149	date:	2019-05-07T00:00:00
db:	CNNVD	id:	CNNVD-201904-038	date:	2019-04-01T00:00:00
db:	NVD	id:	CVE-2018-17990	date:	2019-04-01T21:29:26.920