The Billion 5200W-T TCLinux Fw $7.3.8.0 v008 130603 router distributed by TrueOnline has a command injection vulnerability in the Time Setting function, which is only accessible by an authenticated user. The vulnerability is in the tools_time.asp page and can be exploited through the uiViewSNTPServer parameter. Authentication can be achieved by exploiting CVE-2017-18373.
References
Link | Resource |
---|---|
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt | Exploit Third Party Advisory |
https://seclists.org/fulldisclosure/2017/Jan/40 | Mailing List Exploit Third Party Advisory |
https://ssd-disclosure.com/index.php/archives/2910 | Exploit Technical Description Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-05-02T16:15:22
Updated: 2019-05-02T16:15:22
Reserved: 2019-05-02T00:00:00
Link: CVE-2017-18372
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-05-02T17:29:01.257
Modified: 2019-10-03T00:03:26.223
Link: CVE-2017-18372
JSON object: View
Redhat Information
No data.
CWE