{"api_version":"1","generated_at":"2026-05-13T15:17:38+00:00","cve":"CVE-2018-5347","urls":{"html":"https://cve.report/CVE-2018-5347","api":"https://cve.report/api/cve/CVE-2018-5347.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-5347","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-5347"},"summary":{"title":"CVE-2018-5347","description":"Seagate Media Server in Seagate Personal Cloud has unauthenticated command injection in the uploadTelemetry and getLogs functions in views.py because .psp URLs are handled by the fastcgi.server component and shell metacharacters are mishandled.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-01-12 01:29:00","updated_at":"2019-10-03 00:03:00"},"problem_types":["CWE-78"],"metrics":[],"references":[{"url":"https://www.exploit-db.com/exploits/43659/","name":"43659","refsource":"EXPLOIT-DB","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"Seagate Personal Cloud - Multiple Vulnerabilities - Hardware remote Exploit","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://blogs.securiteam.com/index.php/archives/3548","name":"https://blogs.securiteam.com/index.php/archives/3548","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"401 Authorization Required","mime":"text/html","httpstatus":"401","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-5347","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-5347","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"5347","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"seagate","cpe5":"personal_cloud","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5347","vulnerable":"0","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"seagate","cpe5":"personal_cloud","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5347","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"seagate","cpe5":"personal_cloud_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"5347","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"seagate","cpe5":"personal_cloud_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2018-5347","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Seagate Media Server in Seagate Personal Cloud has unauthenticated command injection in the uploadTelemetry and getLogs functions in views.py because .psp URLs are handled by the fastcgi.server component and shell metacharacters are mishandled."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"43659","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/43659/"},{"name":"https://blogs.securiteam.com/index.php/archives/3548","refsource":"MISC","url":"https://blogs.securiteam.com/index.php/archives/3548"}]}},"nvd":{"publishedDate":"2018-01-12 01:29:00","lastModifiedDate":"2019-10-03 00:03:00","problem_types":["CWE-78"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":10},"severity":"HIGH","exploitabilityScore":10,"impactScore":10,"acInsufInfo":true,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:seagate:personal_cloud_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:seagate:personal_cloud:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"5347","Ordinal":"121317","Title":"CVE-2018-5347","CVE":"CVE-2018-5347","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"5347","Ordinal":"1","NoteData":"Seagate Media Server in Seagate Personal Cloud has unauthenticated command injection in the uploadTelemetry and getLogs functions in views.py because .psp URLs are handled by the fastcgi.server component and shell metacharacters are mishandled.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"5347","Ordinal":"2","NoteData":"2018-01-11","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"5347","Ordinal":"3","NoteData":"2018-01-17","Type":"Other","Title":"Modified"}]}}}