Unauthenticated Command Injection Vulnerability in Seagate Media Server by Seagate
CVE-2018-5347

9.8CRITICAL

Key Information:

Vendor: Seagate
Status: Personal Cloud Firmware
Vendor: CVE Published:; 12 January 2018

What is CVE-2018-5347?

The Seagate Media Server in Seagate Personal Cloud is vulnerable to unauthenticated command injection due to improper handling of .psp URLs by the fastcgi.server component. This issue arises in the uploadTelemetry and getLogs functions of views.py, allowing attackers to exploit shell metacharacters. Successful exploitation could result in remote command execution, potentially compromising the security of systems utilizing the vulnerable configurations.

References

https://www.exploit-db.com/exploits/43659/

exploitx_refsource_EXPLOIT-DB

https://blogs.securiteam.com/index.php/archives/3548

x_refsource_MISC

EPSS Score

37% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 12, 2018
Vulnerability Reserved
Jan 11, 2018

JSON