Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-9075

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when joining a PersonalCloud setup, an attacker can craft a command injection payload using backtick "``" characters in the client:password parameter. As a result, arbitrary commands may be executed as the root user. The attack requires a value __c and iomega parameter.

Published

2018-09-28T20:29:00.753

Last Modified

2024-11-21T04:14:55.367

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 8.1 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: COMPLETE
  • Integrity Impact: COMPLETE
  • Availability Impact: COMPLETE
Exploitability Score

8.6

Impact Score

10.0

Weaknesses
  • Type: Primary
    CWE-78
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Operating System lenovo lenovoemc_firmware ≤ 4.1.402.34662 Yes
Hardware lenovo iomega_ez_media_\&_backup_center - No
Hardware lenovo iomega_storcenter_ix2 - No
Hardware lenovo iomega_storcenter_ix2-dl - No
Hardware lenovo iomega_storcenter_ix4-300d - No
Hardware lenovo iomega_storcenter_px12-400r - No
Hardware lenovo iomega_storcenter_px12-450r - No
Hardware lenovo iomega_storcenter_px2-300d - No
Hardware lenovo iomega_storcenter_px4-300d - No
Hardware lenovo iomega_storcenter_px4-300r - No
Hardware lenovo iomega_storcenter_px6-300d - No
Hardware lenovo lenovo_ez_media_\&_backup_center - No
Hardware lenovo lenovo_ix2 - No
Hardware lenovo lenovo_ix4-300d - No
Hardware lenovo lenovoemc_px12-400r - No
Hardware lenovo lenovoemc_px12-450r - No
Hardware lenovo lenovoemc_px2-300d - No
Hardware lenovo lenovoemc_px4-300d - No
Hardware lenovo lenovoemc_px4-300r - No
Hardware lenovo lenovoemc_px4-400d - No
Hardware lenovo lenovoemc_px4-400r - No
Hardware lenovo lenovoemc_px6-300d - No
References