CVE-2018-5347

CRITICAL

Seagate Media Server - Command Injection

Title source: llm

Description

Seagate Media Server in Seagate Personal Cloud has unauthenticated command injection in the uploadTelemetry and getLogs functions in views.py because .psp URLs are handled by the fastcgi.server component and shell metacharacters are mishandled.

Exploits (1)

exploitdb WORKING POC

by SecuriTeam · remotehardware

https://www.exploit-db.com/exploits/43659

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://blogs.securiteam.com/index.php/archives/3548

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/43659/

Scores

CVSS v3 9.8

EPSS 0.4702

EPSS Percentile 97.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

seagate/personal_cloud_firmware

Published Jan 12, 2018

Tracked Since Feb 18, 2026