CVE-2018-11346
Last modified
CVE-2018-11346 is a vulnerability of currently unknown severity. An insecure direct object reference vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows the ability to reference the "download_sys_settings" action and then specify files arbitrarily throughout the system via the act parameter.. EPSS estimates a 1.27% chance of exploitation in the next 30 days.
Description
An insecure direct object reference vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows the ability to reference the "download_sys_settings" action and then specify files arbitrarily throughout the system via the act parameter.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Asustor | As6202t Firmware | <= adm_3.1.0.rfq3 |
References
- http://seclists.org/fulldisclosure/2018/May/2Exploit, Mailing List, Third Party Advisory
- https://github.com/mefulton/asustorexploitExploit, Third Party Advisory
- https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitationExploit, Third Party Advisory
- http://seclists.org/fulldisclosure/2018/May/2Exploit, Mailing List, Third Party Advisory
- https://github.com/mefulton/asustorexploitExploit, Third Party Advisory
- https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitationExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-11346?
How severe is CVE-2018-11346?
How do I fix CVE-2018-11346?
Are you affected by CVE-2018-11346?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST