CVE-2018-11344

{"id": "CVE-2018-11344", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2018-05-22T01:29:00.730", "references": [{"url": "http://seclists.org/fulldisclosure/2018/May/2", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/mefulton/asustorexploit", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.purehacking.com/blog/matthew-fulton/back-to-the-future-asustor-web-exploitation", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a file on the system to download via the file1 parameter."}, {"lang": "es", "value": "Una vulnerabilidad de salto de directorio en download.cgi en ASUSTOR AS6202T ADM 3.1.0.RFQ3 permite que los atacantes especifiquen de forma arbitraria un archivo en el sistema para descargar mediante el par\u00e1metro file1."}], "lastModified": "2019-03-21T16:49:02.263", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:asustor:as6202t_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F171B99E-57F5-4D47-BC86-C2381234D129", "versionEndIncluding": "adm_3.1.0.rfq3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:asustor:as6202t:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "22EA81DF-4F15-4327-ADA6-2A53E7230559"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}