Insufficient Access Control in Seagate NAS OS
CVE-2018-12296

7.5HIGH

Key Information:

Vendor: Seagate
Status: Nas Os
Vendor: CVE Published:; 13 May 2019

What is CVE-2018-12296?

An insufficient access control vulnerability exists in Seagate's NAS OS version 4.3.15.1, specifically in the endpoint responsible for system information retrieval. This flaw permits remote attackers to send empty POST requests, which can yield critical information about the NAS device without any form of authentication. The exposure of such data can lead to further attacks and exploitation of the affected device.

References

https://blog.securityevaluators.com/invading-your-persona...

x_refsource_MISC

EPSS Score

69% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2019
Vulnerability Reserved
Jun 13, 2018

JSON