8.8

CVE-2018-16739

Exploit

An issue was discovered on certain ABUS TVIP devices. Due to a path traversal in /opt/cgi/admin/filewrite, an attacker can write to files, and thus execute code arbitrarily with root privileges.

Data is provided by the National Vulnerability Database (NVD)
AbusTvip 10000 Firmware Version-
   AbusTvip 10000 Version-
AbusTvip 10001 Firmware Version-
   AbusTvip 10001 Version-
AbusTvip 10005 Firmware Version-
   AbusTvip 10005 Version-
AbusTvip 10005a Firmware Version-
   AbusTvip 10005a Version-
AbusTvip 10005b Firmware Version-
   AbusTvip 10005b Version-
AbusTvip 10050 Firmware Version-
   AbusTvip 10050 Version-
AbusTvip 10051 Firmware Version-
   AbusTvip 10051 Version-
AbusTvip 10055a Firmware Version-
   AbusTvip 10055a Version-
AbusTvip 10055b Firmware Version-
   AbusTvip 10055b Version-
AbusTvip 10500 Firmware Version-
   AbusTvip 10500 Version-
AbusTvip 10550 Firmware Version-
   AbusTvip 10550 Version-
AbusTvip 11000 Firmware Version-
   AbusTvip 11000 Version-
AbusTvip 11050 Firmware Version-
   AbusTvip 11050 Version-
AbusTvip 11500 Firmware Version-
   AbusTvip 11500 Version-
AbusTvip 11501 Firmware Version-
   AbusTvip 11501 Version-
AbusTvip 11502 Firmware Version-
   AbusTvip 11502 Version-
AbusTvip 11550 Firmware Version-
   AbusTvip 11550 Version-
AbusTvip 11551 Firmware Version-
   AbusTvip 11551 Version-
AbusTvip 11552 Firmware Version-
   AbusTvip 11552 Version-
AbusTvip 20000 Firmware Version-
   AbusTvip 20000 Version-
AbusTvip 20050 Firmware Version-
   AbusTvip 20050 Version-
AbusTvip 20500 Firmware Version-
   AbusTvip 20500 Version-
AbusTvip 20550 Firmware Version-
   AbusTvip 20550 Version-
AbusTvip 21000 Firmware Version-
   AbusTvip 21000 Version-
AbusTvip 21050 Firmware Version-
   AbusTvip 21050 Version-
AbusTvip 21500 Firmware Version-
   AbusTvip 21500 Version-
AbusTvip 21501 Firmware Version-
   AbusTvip 21501 Version-
AbusTvip 21502 Firmware Version-
   AbusTvip 21502 Version-
AbusTvip 21550 Firmware Version-
   AbusTvip 21550 Version-
AbusTvip 21551 Firmware Version-
   AbusTvip 21551 Version-
AbusTvip 21552 Firmware Version-
   AbusTvip 21552 Version-
AbusTvip 22500 Firmware Version-
   AbusTvip 22500 Version-
AbusTvip 31000 Firmware Version-
   AbusTvip 31000 Version-
AbusTvip 31001 Firmware Version-
   AbusTvip 31001 Version-
AbusTvip 31050 Firmware Version-
   AbusTvip 31050 Version-
AbusTvip 31500 Firmware Version-
   AbusTvip 31500 Version-
AbusTvip 31501 Firmware Version-
   AbusTvip 31501 Version-
AbusTvip 31550 Firmware Version-
   AbusTvip 31550 Version-
AbusTvip 31551 Firmware Version-
   AbusTvip 31551 Version-
AbusTvip 32500 Firmware Version-
   AbusTvip 32500 Version-
AbusTvip 51500 Firmware Version-
   AbusTvip 51500 Version-
AbusTvip 51550 Firmware Version-
   AbusTvip 51550 Version-
AbusTvip 71500 Firmware Version-
   AbusTvip 71500 Version-
AbusTvip 71501 Firmware Version-
   AbusTvip 71501 Version-
AbusTvip 71550 Firmware Version-
   AbusTvip 71550 Version-
AbusTvip 71551 Firmware Version-
   AbusTvip 71551 Version-
AbusTvip 72500 Firmware Version-
   AbusTvip 72500 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.24% 0.439
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://sec.maride.cc/posts/abus/
Third Party Advisory
Exploit