Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-3209

The DBPOWER U818A WIFI quadcopter drone provides FTP access over its own local access point, and allows full file permissions to the anonymous user. The DBPower U818A WIFI quadcopter drone runs an FTP server that by default allows anonymous access without a password, and provides full filesystem read/write permissions to the anonymous user. A remote user within range of the open access point on the drone may utilize the anonymous user of the FTP server to read arbitrary files, such as images and video recorded by the device, or to replace system files such as /etc/shadow to gain further access to the device. Furthermore, the DBPOWER U818A WIFI quadcopter drone uses BusyBox 1.20.2, which was released in 2012, and may be vulnerable to other known BusyBox vulnerabilities.

Published

2018-07-24T15:29:00.687

Last Modified

2024-11-21T03:25:02.380

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

CVSSv2 Vector

AV:A/AC:L/Au:N/C:P/I:P/A:N

  • Access Vector: ADJACENT_NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: NONE
Exploitability Score

6.5

Impact Score

4.9

Weaknesses
  • Type: Secondary
    CWE-276
  • Type: Primary
    CWE-276
    CWE-306
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Operating System dbpower u818a_firmware - Yes
Application busybox busybox - No
Hardware dbpower u818a - No
References