CVE-2018-5347

Name of the Vulnerable Software and Affected Versions Seagate Personal Cloud (affected versions not specified)

Description The issue is related to the Media Server component of Seagate Personal Cloud, specifically with the uploadTelemetry and getLogs functions in views.py. It is caused by the failure to neutralize special elements used in a command, which can be exploited to execute arbitrary commands with root privileges. The vulnerability is also described as an unauthenticated command injection, where .psp URLs handled by the fastcgi.server component mishandle shell metacharacters.

Recommendations For the affected Media Server component, consider disabling the uploadTelemetry and getLogs functions until a patch is available. Restrict access to the views.py file to minimize the risk of exploitation. Avoid using the fastcgi.server component to handle .psp URLs in the affected Media Server component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.