Vulnerability Description
An unrestricted file upload vulnerability in upload.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data via the POST parameter filename. This can be used to place attacker controlled code on the file system that can then be executed. Further, the filename parameter is vulnerable to path traversal and allows the attacker to place the file anywhere on the system.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Asustor | As6202T Firmware | <= adm_3.1.0.rfq3 |
| Asustor | As6202T | - |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2018/May/2Mailing ListThird Party Advisory
- https://github.com/mefulton/asustorexploitExploitThird Party Advisory
- https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-eExploitThird Party Advisory
- http://seclists.org/fulldisclosure/2018/May/2Mailing ListThird Party Advisory
- https://github.com/mefulton/asustorexploitExploitThird Party Advisory
- https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-eExploitThird Party Advisory
FAQ
What is CVE-2018-11345?
CVE-2018-11345 is a vulnerability with a CVSS score of 8.8 (HIGH). An unrestricted file upload vulnerability in upload.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to upload supplied data via the POST parameter filename. This can be used to place attacker c...
How severe is CVE-2018-11345?
CVE-2018-11345 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-11345?
Check the references section above for vendor advisories and patch information. Affected products include: Asustor As6202T Firmware, Asustor As6202T.