CVE-2018-14417
Summary
| CVE | CVE-2018-14417 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-08-04 01:29:00 UTC |
| Updated | 2018-10-02 20:24:00 UTC |
| Description | A command injection vulnerability was found in the web administration console in SoftNAS Cloud before 4.0.3. In particular, the snserv script did not sanitize the 'recentVersion' parameter from the snserv endpoint, allowing an unauthenticated attacker to execute arbitrary commands with root permissions. |
Risk And Classification
Problem Types: CWE-78
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Malformed Request | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Release Notes - SoftNAS Documentation - SoftNAS Documentation | CONFIRM | docs.softnas.com | Vendor Advisory |
| SoftNAS Cloud < 4.0.3 - OS Command Injection | EXPLOIT-DB | www.exploit-db.com | Exploit, Third Party Advisory, VDB Entry |
| SoftNAS Cloud OS Command Injection | Core Security | MISC | www.coresecurity.com | Exploit, Third Party Advisory |
| Full Disclosure: [CORE-2018-0009] - SoftNAS Cloud OS Command Injection | FULLDISC | seclists.org | Exploit, Mailing List, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.