CVE-2018-14010

OS command injection in the guest Wi-Fi settings feature in /cgi-bin/luci on Xiaomi R3P before 2.14.5, R3C before 2.12.15, R3 before 2.22.15, and R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:mi:xiaomi_r3p_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mi:xiaomi_r3p:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:mi:xiaomi_r3c_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mi:xiaomi_r3c:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:mi:xiaomi_r3d_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mi:xiaomi_r3d:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:mi:xiaomi_r3:*:*:*:*:*:*:*:*
cpe:2.3:h:mi:xiaomi_r3:-:*:*:*:*:*:*:*

History

21 Nov 2024, 03:48

Type Values Removed Values Added
References () http://www.cnvd.org.cn/flaw/show/CNVD-2018-04521 - Third Party Advisory () http://www.cnvd.org.cn/flaw/show/CNVD-2018-04521 - Third Party Advisory
References () https://github.com/cc-crack/router/blob/master/CNVD-2018-04521.py - Exploit, Third Party Advisory () https://github.com/cc-crack/router/blob/master/CNVD-2018-04521.py - Exploit, Third Party Advisory

Information

Published : 2018-07-15 03:29

Updated : 2024-11-21 03:48


NVD link : CVE-2018-14010

Mitre link : CVE-2018-14010

CVE.ORG link : CVE-2018-14010


JSON object : View

Products Affected

mi

  • xiaomi_r3p
  • xiaomi_r3d
  • xiaomi_r3
  • xiaomi_r3d_firmware
  • xiaomi_r3p_firmware
  • xiaomi_r3c
  • xiaomi_r3c_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')