CVE-2018-18471

Name of the Vulnerable Software and Affected Versions Seagate GoFlex Home (affected versions not specified) Medion LifeCloud NAS (affected versions not specified) Netgear Stora (affected versions not specified)

Description The issue is related to an incorrect restriction of XML links to external objects in the web interface of the microprogram software for network data storage devices. This can be exploited by a remote attacker to elevate their privileges. The /api/2.0/rest/aggregator/xml endpoint in Axentra firmware is affected by an XXE vulnerability, which can be combined with an SSRF bug to achieve remote command execution as root. The vulnerability can be triggered by anyone who knows the IP address of the affected device.

Recommendations For Seagate GoFlex Home, consider disabling the /api/2.0/rest/aggregator/xml endpoint until a patch is available. For Medion LifeCloud NAS, restrict access to the vulnerable API endpoint to minimize the risk of exploitation. For Netgear Stora, avoid using the vulnerable xml parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.