Vulnerability Description
D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05 contain a command injection vulnerability in the Mail Test functionality. The web maintenance script posts to the internal goForm endpoint '/goform/Mail_Test' and uses several form parameters directly in a call to a system email utility without proper input validation. An unauthenticated remote attacker can supply crafted form data that injects shell commands, resulting in execution as root on the device. NOTE: The DNS-343 product line has been declared end-of-life.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dlink | Dns-343 Firmware | <= 1.0.5 |
| Dlink | Dns-343 | - |
Related Weaknesses (CWE)
References
- https://github.com/jamesbercegay/advisories/blob/master/%5BGTSA-00128%5D%20D-LinThird Party Advisory
- https://qkl.seebug.org/vuldb/ssvid-97088Third Party Advisory
- https://www.dlink.com/al/sq/products/dns-343-sharecenter-4-bay-network-storage-eProduct
- https://www.exploit-db.com/exploits/43845Exploit
- https://www.vulncheck.com/advisories/dlink-dns343-sharecenter-command-injection-Third Party Advisory
FAQ
What is CVE-2018-25120?
CVE-2018-25120 is a vulnerability with a CVSS score of 9.8 (CRITICAL). D-Link DNS-343 ShareCenter devices running firmware versions up to and including 1.05 contain a command injection vulnerability in the Mail Test functionality. The web maintenance script posts to the ...
How severe is CVE-2018-25120?
CVE-2018-25120 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-25120?
Check the references section above for vendor advisories and patch information. Affected products include: Dlink Dns-343 Firmware, Dlink Dns-343.