CVE-2018-19168

Name: CVE-2018-19168
Creator: NVD / NIST
Published: 2018-11-11T00:29:00.183+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 6.51%

Last modified Jun 17, 2026

CVE-2018-19168 is a vulnerability of currently unknown severity. Shell Metacharacter Injection in www/modules/save.php in FruityWifi (aka PatatasFritas/PatataWifi) through 2.4 allows remote attackers to execute arbitrary code with root privileges via a crafted mod_name parameter in a POST request. NOTE: unlike in CVE-2018-17317, the attacker does not need a valid session.. EPSS estimates a 6.51% chance of exploitation in the next 30 days.

Description

Shell Metacharacter Injection in www/modules/save.php in FruityWifi (aka PatatasFritas/PatataWifi) through 2.4 allows remote attackers to execute arbitrary code with root privileges via a crafted mod_name parameter in a POST request. NOTE: unlike in CVE-2018-17317, the attacker does not need a valid session.

Metrics

EPSS Probability

6.51%

92.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-78

Affected Software

Vendor	Product	Versions
Fruitywifi Project	Fruitywifi	<= 2.4

References

https://github.com/xtr4nge/FruityWifi/issues/250Third Party Advisory
https://github.com/xtr4nge/FruityWifi/issues/250Third Party Advisory

Timeline

Published: Nov 11, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-19168?

How severe is CVE-2018-19168?

Severity scoring for CVE-2018-19168 is pending analysis. The EPSS model estimates a 6.51% probability of exploitation in the next 30 days.

How do I fix CVE-2018-19168?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-19168?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST