Details of VAR-201811-0348

ID

VAR-201811-0348

CVE

CVE-2018-18982

TITLE

NUUO CMS SQL Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2018-24248 // CNNVD: CNNVD-201811-800

DESCRIPTION

NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution. NUUO CMS Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NUUO CMS is a central software management platform from NUUO. The platform is used to centrally manage NVR (DVR), IP cameras and other devices, and provides user management and alarm management. There is a SQL injection vulnerability in NUUO CMS 3.3 and earlier. A remote attacker can exploit this vulnerability to execute arbitrary code

Trust: 2.34

sources: NVD: CVE-2018-18982 // JVNDB: JVNDB-2018-012291 // CNVD: CNVD-2018-24248 // IVD: e30139cf-39ab-11e9-a27d-000c29342cb1

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e30139cf-39ab-11e9-a27d-000c29342cb1 // CNVD: CNVD-2018-24248

AFFECTED PRODUCTS

vendor:	nuuo	model:	cms	scope:	lte	version:	3.3	Trust: 1.8
vendor:	nuuo	model:	cms	scope:	lte	version:	<=3.3	Trust: 0.8
vendor:	nuuo	model:	cms	scope:	eq	version:	3.3	Trust: 0.6

sources: IVD: e30139cf-39ab-11e9-a27d-000c29342cb1 // CNVD: CNVD-2018-24248 // JVNDB: JVNDB-2018-012291 // CNNVD: CNNVD-201811-800 // NVD: CVE-2018-18982

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-18982
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-18982
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2018-24248
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201811-800
value:	HIGH
Trust: 0.6
IVD:	e30139cf-39ab-11e9-a27d-000c29342cb1
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2018-18982
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2018-18982
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2018-24248
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e30139cf-39ab-11e9-a27d-000c29342cb1
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2018-18982
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.0
NVD:	CVE-2018-18982
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: IVD: e30139cf-39ab-11e9-a27d-000c29342cb1 // CNVD: CNVD-2018-24248 // JVNDB: JVNDB-2018-012291 // CNNVD: CNNVD-201811-800 // NVD: CVE-2018-18982

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2018-012291 // NVD: CVE-2018-18982

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 151260 // CNNVD: CNNVD-201811-800

TYPE

SQL injection

Trust: 0.8

sources: IVD: e30139cf-39ab-11e9-a27d-000c29342cb1 // CNNVD: CNNVD-201811-800

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-012291

PATCH

title:

Central Management System

url:

https://www.nuuo.com/ProductNode.php?node=3

Trust: 0.8

sources: JVNDB: JVNDB-2018-012291

EXTERNAL IDS

db:	NVD	id:	CVE-2018-18982	Trust: 3.3
db:	ICS CERT	id:	ICSA-18-284-02	Trust: 3.0
db:	EXPLOIT-DB	id:	46449	Trust: 1.6
db:	CNVD	id:	CNVD-2018-24248	Trust: 0.8
db:	CNNVD	id:	CNNVD-201811-800	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-012291	Trust: 0.8
db:	PACKETSTORM	id:	151806	Trust: 0.6
db:	IVD	id:	E30139CF-39AB-11E9-A27D-000C29342CB1	Trust: 0.2
db:	PACKETSTORM	id:	151260	Trust: 0.1

sources: IVD: e30139cf-39ab-11e9-a27d-000c29342cb1 // CNVD: CNVD-2018-24248 // JVNDB: JVNDB-2018-012291 // PACKETSTORM: 151260 // CNNVD: CNNVD-201811-800 // NVD: CVE-2018-18982

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-284-02	Trust: 3.0
url:	https://www.exploit-db.com/exploits/46449/	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-18982	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18982	Trust: 0.8
url:	https://packetstormsecurity.com/files/151806/nuuo-central-management-sql-injection.html	Trust: 0.6
url:	https://www.exploit-db.com/exploits/46449	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17888	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17890	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17892	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17936	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17934	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17894	Trust: 0.1

sources: CNVD: CNVD-2018-24248 // JVNDB: JVNDB-2018-012291 // PACKETSTORM: 151260 // CNNVD: CNNVD-201811-800 // NVD: CVE-2018-18982

CREDITS

Metasploit,Pedro Ribeiro

Trust: 0.6

sources: CNNVD: CNNVD-201811-800

SOURCES

db:	IVD	id:	e30139cf-39ab-11e9-a27d-000c29342cb1
db:	CNVD	id:	CNVD-2018-24248
db:	JVNDB	id:	JVNDB-2018-012291
db:	PACKETSTORM	id:	151260
db:	CNNVD	id:	CNNVD-201811-800
db:	NVD	id:	CVE-2018-18982

LAST UPDATE DATE

2024-11-23T22:30:16.640000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-24248	date:	2018-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2018-012291	date:	2019-01-31T00:00:00
db:	CNNVD	id:	CNNVD-201811-800	date:	2019-03-06T00:00:00
db:	NVD	id:	CVE-2018-18982	date:	2024-11-21T03:56:58.903

SOURCES RELEASE DATE

db:	IVD	id:	e30139cf-39ab-11e9-a27d-000c29342cb1	date:	2018-11-29T00:00:00
db:	CNVD	id:	CNVD-2018-24248	date:	2018-11-29T00:00:00
db:	JVNDB	id:	JVNDB-2018-012291	date:	2019-01-31T00:00:00
db:	PACKETSTORM	id:	151260	date:	2019-01-21T23:02:22
db:	CNNVD	id:	CNNVD-201811-800	date:	2018-11-28T00:00:00
db:	NVD	id:	CVE-2018-18982	date:	2018-11-27T20:29:00.923