CVE-2018-17934

CRITICAL

Nuuo Cms < 3.3 - Path Traversal

Title source: rule

Description

NUUO CMS All versions 3.3 and prior the application allows external input to construct a pathname that is able to be resolved outside the intended directory. This could allow an attacker to impersonate a legitimate user, obtain restricted information, or execute arbitrary code.

Exploits (1)

metasploit WORKING POC

by Pedro Ribeiro <[email protected]> · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/nuuo_cms_file_download.rb

View Code ZIP pw:eip

References (1)

[Third Party Advisory, US Government Resource] https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02

Scores

CVSS v3 9.8

EPSS 0.6775

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

nuuo/nuuo_cms < 3.3

Published Nov 27, 2018

Tracked Since Feb 18, 2026