Main Vulnerability Database Exploits ID:5974 - Exploit for OS command injection in NUUO NVRmini 2 - CVE-2018-15716

ID:5974 - Exploit for OS command injection in NUUO NVRmini 2 - CVE-2018-15716

Published: June 17, 2021

Vulnerability identifier: #VU16212

Vulnerability risk: High

CVE-ID: CVE-2018-15716

CWE-ID: CWE-78

Exploitation vector: Remote access

Vulnerable software:
NUUO NVRmini 2

Link to public exploit:

https://www.exploit-db.com/exploits/45948/

Vulnerability description

The vulnerability allows a remote authenticated attacker to execute arbitrary shell commands on the target system.

The vulnerability exists in upgrade_handle.php due to insufficient validation of user-supplied input. A remote authenticated attacker can send specially crafted requests containing shell metacharacters in the uploaddir parameter for a writeuploaddir command to bypass the uploaddir filter and execute OS commands with root privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: the vulnerability exists due to insufficient patch for CVE-2018-14933.

Remediation

Update to version 3.10.0 or later.

ID:5974 - Exploit for OS command injection in NUUO NVRmini 2 - CVE-2018-15716

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human