CVE-2019-17372
Description
Certain NETGEAR devices allow remote attackers to disable all authentication requirements by visiting genieDisableLanChanged.cgi. The attacker can then, for example, visit MNU_accessPassword_recovered.html to obtain a valid new admin password. This affects AC1450, D8500, DC112A, JNDR3000, LG2200D, R4500, R6200, R6200V2, R6250, R6300, R6300v2, R6400, R6700, R6900P, R6900, R7000P, R7000, R7100LG, R7300, R7900, R8000, R8300, R8500, WGR614v10, WN2500RPv2, WNDR3400v2, WNDR3700v3, WNDR4000, WNDR4500, WNDR4500v2, WNR1000, WNR1000v3, WNR3500L, and WNR3500L.
Related CPE's
References
CvssV3 impact
Version | 3.1 |
VectorString | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
AttackVector | NETWORK |
AttackComplexity | HIGH |
PrivilegesRequired | NONE |
UserInteraction | NONE |
Scope | UNCHANGED |
ConfidentialityImpact | HIGH |
IntegrityImpact | HIGH |
AvailabilityImpact | HIGH |
BaseScore | 8.1 |
BaseSeverity | HIGH |
CvssV2 impact
Version | 2.0 |
VectorString | AV:N/AC:M/Au:N/C:P/I:N/A:N |
AccessVector | NETWORK |
AccessComplexity | MEDIUM |
Authentication | NONE |
ConfidentialityImpact | PARTIAL |
IntegrityImpact | NONE |
AvailabilityImpact | NONE |
BaseScore | 4.300000190734863 |