CVE-2009-2765

Exploit

EPSS 91.68%
Veröffentlicht 14.08.2009 15:16:27
Zuletzt bearbeitet 09.04.2025 00:30:58
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

httpd.c in httpd in the management GUI in DD-WRT 24 sp1, and other versions before build 12533, allows remote attackers to execute arbitrary commands via shell metacharacters in a request to a cgi-bin/ URI.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dd-wrt ≫ Dd-wrt Updatesp1 Version <= 24

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	91.68%	0.997

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.3	6.5	10	AV:A/AC:L/Au:N/C:C/I:C/A:C

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173

Exploit

http://isc.sans.org/diary.html?storyid=6853

Patch

http://metasploit.com/svn/framework3/trunk/modules/exploits/linux/http/ddwrt_cgibin_exec.rb

Exploit

http://securitytracker.com/id?1022596

http://www.dd-wrt.com/

Patch

Vendor Advisory

http://www.exploit-db.com/exploits/9209

http://www.osvdb.org/55990