CVE-2018-13307: OS Command Injection
First published: Tue Nov 27 2018(Updated: )
System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Totolink A3002ru Firmware | =1.0.8 | |
| TOTOLINK A3002RU |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-13307?
The severity of CVE-2018-13307 is critical with a CVSS score of 9.8.
What is the vulnerability in TOTOLINK A3002RU version 1.0.8?
The vulnerability in TOTOLINK A3002RU version 1.0.8 is a system command injection in the "fromNtp" function.
How can attackers exploit CVE-2018-13307?
Attackers can exploit CVE-2018-13307 by sending malicious payloads through the "ntpServerIp2" POST parameter, allowing them to execute system commands and potentially making the device permanently inoperable.
Is TOTOLINK A3002RU version 1.0.8 vulnerable?
Yes, TOTOLINK A3002RU version 1.0.8 is vulnerable to CVE-2018-13307.
How can I fix CVE-2018-13307?
To fix CVE-2018-13307, it is recommended to update TOTOLINK A3002RU firmware to a version that includes a patch for this vulnerability.
- collector/nvd-index
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/type
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/totolink
- canonical/totolink a3002ru firmware
- version/totolink a3002ru firmware/1.0.8
- canonical/totolink a3002ru