← back
CVE-2014-2846

CVE-2014-2846

EPSS 8.8%
Directory traversal vulnerability in opt/arkeia/wui/htdocs/index.php in the WD Arkeia virtual appliance (AVA) with firmware before 10.2.9 allows remote attackers to read arbitrary files and execute arbitrary PHP code via a ..././ (dot dot dot slash dot slash) in the lang Cookie parameter, as demonstrated by a request to login/doLogin.
Affected products
n/a · n/a
public PoCs found1
exploitdbwww.exploit-db.com/exploits/33005unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://seclists.org/fulldisclosure/2014/Apr/257http://wiki.arkeia.com/index.php/Path_Traversal_Remote_Code_Executionhttp://www.securityfocus.com/archive/1/531910/100/0/threaded