CVE Vulnerability

CVE-2018-18471

/api/2.0/rest/aggregator/xml in Axentra firmware, used by NETGEAR Stora, Seagate GoFlex Home, and MEDION LifeCloud, has an XXE vulnerability that can be chained with an SSRF bug to gain remote command execution as root. It can be triggered by anyone who knows the IP address of the affected device.

10 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://www.axentra.com/en/ Vendor Advisory
https://www.wizcase.com/blog/hack-2018/ Exploit Third Party Advisory
Configurations

Configuration 1
Information

Published : 2019-06-19 04:15

Updated : 2019-06-24 12:02

NVD link : CVE-2018-18471

Mitre link : CVE-2018-18471

Products Affected
No products.
CWE
CWE-611

Improper Restriction of XML External Entity Reference