Ubiquiti UCRM versions 2.3.0 to 2.7.7 allow an authenticated user to read arbitrary files in the local file system. Note that by default, the local file system is isolated in a docker container. Successful exploitation requires valid credentials to an account with "Edit" access to "System Customization".
References
Link | Resource |
---|---|
https://community.ubnt.com/t5/UCRM/New-UCRM-upgrades-available-2-8-2-and-2-9-0-beta3/td-p/2211814 | Vendor Advisory |
https://hackerone.com/reports/301406 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: hackerone
Published: 2018-05-24T00:00:00
Updated: 2018-07-03T20:57:01
Reserved: 2016-11-30T00:00:00
Link: CVE-2017-0913
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-07-03T21:29:00.247
Modified: 2019-10-03T00:03:26.223
Link: CVE-2017-0913
JSON object: View
Redhat Information
No data.
CWE