EDB-ID: 45030 | Author: Miguel Mendez Z | Published: 2018-07-16 | CVE: CVE-2018-14064 | Type: Webapps | Platform: Hardware | Aliases: N/A | Advisory/Source: N/A | Tags: Traversal | Vulnerable App: N/A | Date: 12-07-2018
Scope: Directory Traversal
Platforms: Unix
Author: Miguel Mendez Z
Vendor: VelotiSmart
Version: B380
CVE: CVE-2018–14064
Vulnerability description
-------------------------
- The vulnerability that affects the device is LFI type in the uc-http service 1.0.0. What allows to obtain information of configurations, wireless scanned networks, sensitive directories, etc. Of the device.
Vulnerable variable:
http://domain:80/../../etc/passwd
Exploit link:
https://github.com/s1kr10s/ExploitVelotiSmart
Poc:
https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac