CVE-2018-3954 Vulnerability Details

  /     /     /  

CVE-2018-3954 Metadata Quick Info

CVE Published: 17/10/2018 | CVE Updated: 17/09/2024 | CVE Year: 2018
Source: talos | Vendor: Linksys | Product: ESeries E1200
Status : PUBLISHED

CVE-2018-3954 Description

Devices in the Linksys ESeries line of routers (Linksys E1200 Firmware Version 2.0.09 and Linksys E2500 Firmware Version 3.0.04) are susceptible to OS command injection vulnerabilities due to improper filtering of data passed to and retrieved from NVRAMData entered into the \'Router Name\' input field through the web portal is submitted to apply.cgi as the value to the \'machine_name\' POST parameter. When the \'preinit\' binary receives the SIGHUP signal it enters a code path that calls a function named \'set_host_domain_name\' from its libshared.so shared object.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID:
CWE Name: OS Command Injection
Source: Linksys

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description: