NUUO NVRmini Products CVE-2018-15716 Incomplete Fix Remote Command Injection Vulnerability

NUUO NVRmini Products are prone to an remote command-injection vulnerability.

An attacker may exploit this issue to inject and execute arbitrary commands within the context of the affected application; this may aid in further attacks.
NOTE: This issue is the result of an incomplete fix for the issue described in BID 106058 (NUUO NVRmini Products CVE-2018-14933 Remote Command Injection Vulnerability).

Information

Bugtraq ID: 106059
Class: Input Validation Error
CVE: CVE-2018-15716

Remote: Yes
Local: No
Published: Nov 30 2018 12:00AM
Updated: Nov 30 2018 12:00AM
Credit: Tenable
Vulnerable: NUUO NVRsolo Plus 3.10
NUUO NVRsolo 3.10
NUUO NVRmini 2 3.10

Not Vulnerable:

Exploit

The researcher who discovered this issue has created a proof-of-concept to demonstrate the issue. The exploit is otherwise not publicly available.

References:

• NUUO Homepage (NUUO Inc.)
  
• tenable/poc (tenable)
  
• tenable/poc (Tenable)
  
• [R1] NUUO NVRMini2 Authenticated Command Injection (Tenable)
  

Source: www.securityfocus.com