CVE-2016-10106

Name of the Vulnerable Software and Affected Versions NETGEAR FVS336Gv3 versions prior to 4.3.3-8 NETGEAR FVS318N versions prior to 4.3.3-8 NETGEAR FVS318Gv2 versions prior to 4.3.3-8 NETGEAR SRX5308 versions prior to 4.3.3-8

Description The issue allows remote authenticated users to read arbitrary files via a .. (dot dot) in the thispage parameter. This can be demonstrated by reading the /etc/shadow file.

Recommendations For NETGEAR FVS336Gv3 versions prior to 4.3.3-8, update to firmware version 4.3.3-8 or later. For NETGEAR FVS318N versions prior to 4.3.3-8, update to firmware version 4.3.3-8 or later. For NETGEAR FVS318Gv2 versions prior to 4.3.3-8, update to firmware version 4.3.3-8 or later. For NETGEAR SRX5308 versions prior to 4.3.3-8, update to firmware version 4.3.3-8 or later. As a temporary workaround, consider restricting access to the scgi-bin/platform.cgi endpoint until a patch is available. Avoid using the thispage parameter in the affected endpoint until the issue is resolved.