CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2017-2922
https://notcve.org/view.php?id=CVE-2017-2922
An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause a buffer to be allocated while leaving stale pointers which leads to a use-after-free vulnerability which can be exploited to achieve remote code execution. An attacker needs to send a specially crafted websocket packet over the network to trigger this vulnerability. Existe una vulnerabilidad explotable de corrupción de memoria en la implementación del protocolo Websocket de Cesanta Mongoose 6.8. Un paquete websocket especialmente manipulado puede provocar que un búfer se asigne dejando punteros obsoletos. • https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0429 • CWE-416: Use After Free •
CVSS: 8.8EPSS: 5%CPEs: 1EXPL: 3CVE-2017-11567 – Mongoose Web Server 6.5 - Cross-Site Request Forgery / Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-11567
Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server before 6.9 allows remote attackers to hijack the authentication of users for requests that modify Mongoose.conf via a request to __mg_admin?save. NOTE: this issue can be leveraged to execute arbitrary code remotely. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en Mongoose Web Server en versiones anteriores a la 6.9 permite que atacantes remotos secuestren la autenticación de usuarios para peticiones que modifiquen Mongoose.conf mediante una petición a __mg_admin?save. • https://www.exploit-db.com/exploits/42614 http://hyp3rlinx.altervista.org/advisories/MONGOOSE-WEB-SERVER-v6.5-CSRF-COMMAND-EXECUTION.txt http://seclists.org/fulldisclosure/2017/Sep/3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 2CVE-2017-7185 – Cesanta Mongoose OS - Use-After-Free
https://notcve.org/view.php?id=CVE-2017-7185
Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string. Vulnerabilidad use-after-free en la función mg_http_multipart_wait_for_boundary en mongoose.c en Cesanta Mongoose Embedded Web Server Library 6.7 y anteriores y Mongoose OS 1.2 y anteriores permite a los atacantes remotos provocar una denegación de servicio (caída) a través de un multipart/form-data POST solicitud sin una cadena de límite MIME. Mongoose OS versions 1.2 and below suffers from use-after-free and denial of service vulnerabilities. • https://www.exploit-db.com/exploits/41826 http://www.securityfocus.com/archive/1/540355/100/0/threaded http://www.securityfocus.com/bid/97370 https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt • CWE-416: Use After Free •