CVE-2018-3954
Summary
| CVE | CVE-2018-3954 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-10-17 02:29:00 UTC |
| Updated | 2023-04-26 18:52:00 UTC |
| Description | Devices in the Linksys ESeries line of routers (Linksys E1200 Firmware Version 2.0.09 and Linksys E2500 Firmware Version 3.0.04) are susceptible to OS command injection vulnerabilities due to improper filtering of data passed to and retrieved from NVRAMData entered into the 'Router Name' input field through the web portal is submitted to apply.cgi as the value to the 'machine_name' POST parameter. When the 'preinit' binary receives the SIGHUP signal it enters a code path that calls a function named 'set_host_domain_name' from its libshared.so shared object. |
Risk And Classification
Problem Types: CWE-78
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Linksys | E1200 | - | All | All | All |
| Hardware | Linksys | E1200 | - | All | All | All |
| Operating System | Linksys | E1200 Firmware | 2.0.09 | All | All | All |
| Operating System | Linksys | E1200 Firmware | 2.0.09 | All | All | All |
| Hardware | Linksys | E2500 | - | All | All | All |
| Hardware | Linksys | E2500 | - | All | All | All |
| Operating System | Linksys | E2500 Firmware | 3.0.04 | All | All | All |
| Operating System | Linksys | E2500 Firmware | 3.0.04 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| TALOS-2018-0625 || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence | MISC | talosintelligence.com | Exploit, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.