CVE-2018-14417

A command injection vulnerability was found in the web administration console in SoftNAS Cloud before 4.0.3. In particular, the snserv…

mitre·CWE-78·Published 2018-08-03

CVSS

—

EPSS

0.90

KEV

Exploits

cve.orgen

304 chars

A command injection vulnerability was found in the web administration console in SoftNAS Cloud before 4.0.3. In particular, the snserv script did not sanitize the 'recentVersion' parameter from the snserv endpoint, allowing an unauthenticated attacker to execute arbitrary commands with root permissions.

NVDen

304 chars

NVDes

339 chars

Se ha encontrado una vulnerabilidad de inyección de comandos en la consola de administración web en SoftNAS Cloud en versiones anteriores a la 4.0.3. En particular, el script snserv no saneó el parámetro "recentVersion" desde el endpoint snserv, lo que permite que un atacante no autenticado ejecute comandos arbitrarios con permisos root.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	10.0	10.0	10.0	AV:N/AC:L/Au:N/C:C/I:C/A:C
3.0	Primary	NVD	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H