CVE-2013-3365 Details

CVE-2013-3365

Published: 2014-02-04
Last Modified: 2014-02-05
CVE Author: NIST National Vulnerability Database
CVE Assigner: cve@mitre.org
Summary

TRENDnet TEW-812DRU router allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) wan network prefix to internet/ipv6.asp; (2) remote port to adm/management.asp; (3) pptp username, (4) pptp password, (5) ip, (6) gateway, (7) l2tp username, or (8) l2tp password to internet/wan.asp; (9) NtpDstStart, (10) NtpDstEnd, or (11) NtpDstOffset to adm/time.asp; or (12) device url to adm/management.asp. NOTE: vectors 9, 10, and 11 can be exploited by unauthenticated remote attackers by leveraging CVE-2013-3098.

Analysis
Common Vulnerability Score System v2.0
Severity High
Base Score 8.5/10
Exploit Score 6.8/10
Access Vector Network
Access Complexity Medium
Authentication Single
Impact Score 10/10
Confidentiality Impact Complete
Availability Impact Complete
Integrity Impact Complete
Vector String AV:N/AC:M/Au:S/C:C/I:C/A:C
Common Vulnerability Score System v3.1

NIST has not assigned a CVSSv3.1 Score.

Products Reported
CPE Vulnerable Start Excluding
cpe:2.3:h:trendnet:tew-812dru:-:*:*:*:*:*:*:* Yes - -
References

http://infosec42.blogspot.com/2013/07/exploit-trendnet-tew-812dru-csrfcommand.html
http://securityevaluators.com/content/case-studies/routers/Vulnerability_Catalog.pdf

CVE ID
CVE-2013-3365
Published
2014-02-04
Modified
2014-02-05
CVSSv2.0
High
PCI Compliance
Fail
US-CERT Alert
No
CWE
CWE-78

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities.