VYPR

Merlin.PHP

by Rmerl

CVEs (2)

  • CVE-2018-18320CriOct 15, 2018
    risk 0.64cvss 9.8epss 0.05

    An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because exec.php has a popen call. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and…

  • CVE-2018-18319CriOct 15, 2018
    risk 0.64cvss 9.8epss 0.05

    An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that…