Vulnerability Details CVE-2018-9075
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when joining a PersonalCloud setup, an attacker can craft a command injection payload using backtick "``" characters in the client:password parameter. As a result, arbitrary commands may be executed as the root user. The attack requires a value __c and iomega parameter.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.264
EPSS Ranking 96.0%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 9.3
References
Products affected by CVE-2018-9075
-
cpe:2.3:h:lenovo:iomega_ez_media_&_backup_center:-
-
cpe:2.3:h:lenovo:iomega_storcenter_ix2-dl:-
-
cpe:2.3:h:lenovo:iomega_storcenter_ix2:-
-
cpe:2.3:h:lenovo:iomega_storcenter_ix4-300d:-
-
cpe:2.3:h:lenovo:iomega_storcenter_px12-400r:-
-
cpe:2.3:h:lenovo:iomega_storcenter_px12-450r:-
-
cpe:2.3:h:lenovo:iomega_storcenter_px2-300d:-
-
cpe:2.3:h:lenovo:iomega_storcenter_px4-300d:-
-
cpe:2.3:h:lenovo:iomega_storcenter_px4-300r:-
-
cpe:2.3:h:lenovo:iomega_storcenter_px6-300d:-
-
cpe:2.3:h:lenovo:lenovo_ez_media_&_backup_center:-
-
cpe:2.3:h:lenovo:lenovo_ix2:-
-
cpe:2.3:h:lenovo:lenovo_ix4-300d:-
-
cpe:2.3:h:lenovo:lenovoemc_px12-400r:-
-
cpe:2.3:h:lenovo:lenovoemc_px12-450r:-
-
cpe:2.3:h:lenovo:lenovoemc_px2-300d:-
-
cpe:2.3:h:lenovo:lenovoemc_px4-300d:-
-
cpe:2.3:h:lenovo:lenovoemc_px4-300r:-
-
cpe:2.3:h:lenovo:lenovoemc_px4-400d:-
-
cpe:2.3:h:lenovo:lenovoemc_px4-400r:-
-
cpe:2.3:h:lenovo:lenovoemc_px6-300d:-
-
cpe:2.3:o:lenovo:lenovoemc_firmware:4.1.402.34662