CVE-2017-6366 – Netgear DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2017-6366
Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10.0.0.20 through 10.0.0.50 allows remote attackers to hijack the authentication of users for requests that perform DNS lookups via the host_name parameter to dnslookup.cgi. NOTE: this issue can be combined with CVE-2017-6334 to execute arbitrary code remotely. Vulnerabilidad de CSRF en routers NETGEAR DGN2200 con firmware 10.0.0.20 hasta la versión 10.0.0.50 permite a atacantes remotos secuestrar la autenticación de usuarios para solicitudes que realizan búsquedas DNS a través del parámetro host_name a dnslookup.cgi. NOTA: este problema se puede combinar con CVE-2017-6334 para ejecutar código arbitrario de forma remota. • https://www.exploit-db.com/exploits/41472 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2017-6334 – NETGEAR DGN2200 Devices OS Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2017-6334
dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the host_name field of an HTTP POST request, a different vulnerability than CVE-2017-6077. Dnslookup.cgi en dispositivos NETGEAR DGN2200 con firmware hasta la versión 10.0.0.50 permite a usuarios remotos autenticados ejecutar comandos del SO arbitrarios a través de metacaracteres shell en el campo del nombre de host de una solicitud HTTP POST, una vulnerabilidad diferente a CVE-2017-6077. Netgear DGN2200 versions 1, 2, 3, and 4 suffer from a non-administrative authenticated remote command execution vulnerability via dnslookup.cgi. dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands • https://www.exploit-db.com/exploits/42257 https://www.exploit-db.com/exploits/41459 https://www.exploit-db.com/exploits/41472 http://www.securityfocus.com/bid/96463 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •