CVE-2018-18319
https://notcve.org/view.php?id=CVE-2018-18319
An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution ** EN DISPUTA ** Se ha descubierto un problema en la versión 0.6.6 del componente Merlin.PHP para dispositivos Asuswrt-Merlin. Un atacante puede ejecutar comandos arbitrarios debido a que api.php tiene una llamada eval, tal y como queda demostrado con el URI /6/api.php? • http://blog.51cto.com/010bjsoft/2298902 https://github.com/qoli/Merlin.PHP/issues/27 • CWE-94: Improper Control of Generation of Code ('Code Injection') •