CVE-2016-1555

Warnung

Exploit

EPSS 93.97%
Veröffentlicht 21.04.2017 15:59:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle cret@cert.org
Teams Watchlist Login
Unerledigt Login

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute arbitrary commands.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Netgear ≫ Wnap320 Firmware Version <= 3.0.5.0

Netgear ≫ Wnap320 Version-

Netgear ≫ Wndap350 Firmware Version <= 3.0.5.0

Netgear ≫ Wndap350 Version-

Netgear ≫ Wndap360 Firmware Version <= 3.0.5.0

Netgear ≫ Wndap360 Version-

Netgear ≫ Wndap210v2 Firmware Version <= 3.0.5.0

Netgear ≫ Wndap210v2 Version-

Netgear ≫ Wn604 Firmware Version <= 3.3.2

Netgear ≫ Wn604 Version-

Netgear ≫ Wndap660 Firmware Version <= 3.0.5.0

Netgear ≫ Wndap660 Version-

Netgear ≫ Wn802tv2 Firmware Version <= 3.0.5.0

Netgear ≫ Wn802tv2 Version-

25.03.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

NETGEAR Multiple WAP Devices Command Injection Vulnerability

Schwachstelle

Multiple NETGEAR Wireless Access Point devices allows unauthenticated web pages to pass form input directly to the command-line interface. Exploitation allows for arbitrary code execution.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	93.97%	0.999

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	10	10	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

http://packetstormsecurity.com/files/135956/D-Link-Netgear-FIRMADYNE-Command-Injection-Buffer-Overflow.html

Third Party Advisory

VDB Entry

http://seclists.org/fulldisclosure/2016/Feb/112

Third Party Advisory

Mailing List

https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic

Patch

Vendor Advisory

https://www.exploit-db.com/exploits/45909/

Third Party Advisory

Exploit

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2016-1555

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-1555

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-1555

EUVD