Main
Vulnerability Database
Exploits
ID:2145 - Exploit for Command injection in GPON - CVE-2018-10562
ID:2145 - Exploit for Command injection in GPON - CVE-2018-10562
Published: March 18, 2020
Vulnerability identifier: #VU12661
Vulnerability risk: High
CVE-ID: CVE-2018-10562
CWE-ID: CWE-77
Exploitation vector: Remote access
Vulnerable software:
GPON
GPON
Link to public exploit:
Vulnerability description
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The weakness exists due to command injection via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. A remote attacker can inject arbitrary commands and execute arbitrary code because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html.
The weakness exists due to command injection via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. A remote attacker can inject arbitrary commands and execute arbitrary code because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html.
Remediation
Install update from vendor's website.