CVE-2018-10988
HIGHDiqee Diqee360 Firmware - Unauthenticated Remote Code Execution via Unsigned Firmware Update Script
Title source: llmDescription
An issue was discovered on Diqee Diqee360 devices. A firmware update process, integrated into the firmware, starts at boot and tries to find the update folder on the microSD card. It executes code, without a digital signature, as root from the /mnt/sdcard/$PRO_NAME/upgrade.sh or /sdcard/upgrage_360/upgrade.sh pathname.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://gist.github.com/neolead/a1fadac07373835507705a7d61e638ae#file-cve-2018-10988-txt
Scores
CVSS v3
7.8
EPSS
0.0023
EPSS Percentile
13.9%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-347
Status
published
Products (1)
diqee/diqee360_firmware
Published
Jul 05, 2018
Tracked Since
Feb 18, 2026