Information disclosure in NETGEAR products - #VU10433
Published: February 9, 2018
Vulnerability identifier: #VU10433
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-200
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: NETGEAR
Affected software:
D8500
WNDR4500v2
R7000P
R6400v2
R6300v2
DGN2200v4
R6400
R6700
R7000
D8500
WNDR4500v2
R7000P
R6400v2
R6300v2
DGN2200v4
R6400
R6700
R7000
Detailed vulnerability description
The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.
The weakness exists due to a flaw in the genie_restoring.cgi script, provided by the box's built-in web server. An adjacent attacker can abuse the vulnerable script and extract files and passwords from its filesystem in flash storage or pull files from USB sticks plugged into the router.
The weakness exists due to a flaw in the genie_restoring.cgi script, provided by the box's built-in web server. An adjacent attacker can abuse the vulnerable script and extract files and passwords from its filesystem in flash storage or pull files from USB sticks plugged into the router.
Remediation
Update to the latest version.