PT-2018-10503 · Asustor · Asustor As6202T Adm

Published

2018-05-22

Updated

2019-03-29

CVE-2018-11345

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ASUSTOR AS6202T ADM version 3.1.0.RFQ3

Description The issue allows attackers to upload files via the filename parameter in the POST request to the "upload.cgi" endpoint. This can lead to the execution of attacker-controlled code on the file system. The filename parameter is also vulnerable to path traversal, enabling attackers to place files anywhere on the system.

Recommendations For ASUSTOR AS6202T ADM version 3.1.0.RFQ3, consider restricting access to the "upload.cgi" endpoint until a patch is available. As a temporary workaround, avoid using the filename parameter in the POST request to prevent potential path traversal and file upload attacks.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2018-11345

Affected Products

Asustor As6202T Adm

PT-2018-10503 · Asustor · Asustor As6202T Adm

CVE-2018-11345

Weakness Enumeration

Related Identifiers

Affected Products

References · 5