Directory Traversal Vulnerability in NETGEAR Devices
CVE-2016-10106

6.5MEDIUM

Key Information:

Vendor
Netgear
Status
Fvs336gv3 Firmware
Vendor
CVE Published:
3 January 2017

Summary

A directory traversal vulnerability exists in the scgi-bin/platform.cgi component of certain NETGEAR devices. This flaw permits remote authenticated users to gain unauthorized access to sensitive files on the system, specifically through the manipulation of the 'thispage' parameter in requests. An attacker can exploit this vulnerability by using a '..' (dot dot) sequence to navigate the file structure, potentially allowing access to critical files, such as the /etc/shadow file, which contains user hashes. Devices with firmware versions prior to 4.3.3-8 are affected.

References

http://kb.netgear.com/30739/Path-Traversal-Attack-Securit...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/95204
vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1037548
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.