7.5
CVE-2014-2846
- EPSS 8.83%
- Veröffentlicht 28.04.2014 14:09:07
- Zuletzt bearbeitet 06.05.2026 22:30:45
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Directory traversal vulnerability in opt/arkeia/wui/htdocs/index.php in the WD Arkeia virtual appliance (AVA) with firmware before 10.2.9 allows remote attackers to read arbitrary files and execute arbitrary PHP code via a ..././ (dot dot dot slash dot slash) in the lang Cookie parameter, as demonstrated by a request to login/doLogin.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Westerndigital ≫ Arkeia Virtual Appliance Firmware Version <= 10.2.7
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 8.83% | 0.946 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
http://seclists.org/fulldisclosure/2014/Apr/257
http://wiki.arkeia.com/index.php/Path_Traversal_Remote_Code_Execution
http://www.securityfocus.com/archive/1/531910/100/0/threaded