CVE-2017-8841
Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Arbitrary file deletion exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The attack methodology is absolute path traversal in cgi-bin/MANGA/firmware_process.cgi via the upfile.path parameter.
Una eliminación de archivos arbitraria se presenta en los dispositivos de Peplink Balance 305, 380, 580, 710, 1350 y 2500 con versión firmware anterior a fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-versión 7.0.1-build2093. La metodología de ataque es el salto de ruta (path) absoluta en el archivo cgi-bin/MANGA/firmware_process.cgi por medio del parámetro upfile.path.
Peplink version 7.0.0-build1904 suffers from cross site request forgery, cross site scripting, file deletion, and remote SQL injection vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-05-08 CVE Reserved
- 2017-06-05 CVE Published
- 2017-06-05 First Exploit
- 2023-03-07 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/bugtraq/2017/Jun/1 | Mailing List |
|
| https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/142801 | 2017-06-05 | |
| https://www.exploit-db.com/exploits/42130 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Peplink Search vendor "Peplink" | B305hw2 Firmware Search vendor "Peplink" for product "B305hw2 Firmware" | 7.0.1 Search vendor "Peplink" for product "B305hw2 Firmware" and version "7.0.1" | - |
Affected
| in | Peplink Search vendor "Peplink" | Balance 305 Search vendor "Peplink" for product "Balance 305" | - | - |
Safe
|
| Peplink Search vendor "Peplink" | 380hw6 Firmware Search vendor "Peplink" for product "380hw6 Firmware" | 7.0.1 Search vendor "Peplink" for product "380hw6 Firmware" and version "7.0.1" | - |
Affected
| in | Peplink Search vendor "Peplink" | Balance 380 Search vendor "Peplink" for product "Balance 380" | - | - |
Safe
|
| Peplink Search vendor "Peplink" | 580hw2 Firmware Search vendor "Peplink" for product "580hw2 Firmware" | 7.0.1 Search vendor "Peplink" for product "580hw2 Firmware" and version "7.0.1" | - |
Affected
| in | Peplink Search vendor "Peplink" | Balance 580 Search vendor "Peplink" for product "Balance 580" | - | - |
Safe
|
| Peplink Search vendor "Peplink" | 710hw3 Firmware Search vendor "Peplink" for product "710hw3 Firmware" | 7.0.1 Search vendor "Peplink" for product "710hw3 Firmware" and version "7.0.1" | - |
Affected
| in | Peplink Search vendor "Peplink" | Balance 710 Search vendor "Peplink" for product "Balance 710" | - | - |
Safe
|
| Peplink Search vendor "Peplink" | 1350hw2 Firmware Search vendor "Peplink" for product "1350hw2 Firmware" | 7.0.1 Search vendor "Peplink" for product "1350hw2 Firmware" and version "7.0.1" | - |
Affected
| in | Peplink Search vendor "Peplink" | Balance 1350 Search vendor "Peplink" for product "Balance 1350" | - | - |
Safe
|
| Peplink Search vendor "Peplink" | 2500 Firmware Search vendor "Peplink" for product "2500 Firmware" | 7.0.1 Search vendor "Peplink" for product "2500 Firmware" and version "7.0.1" | - |
Affected
| in | Peplink Search vendor "Peplink" | Balance 2500 Search vendor "Peplink" for product "Balance 2500" | - | - |
Safe
|