cpe:/a:transmissionbt:transmission:2.92 cpe:/o:debian:debian_linux:7.0 cpe:/o:debian:debian_linux:8.0 cpe:/o:debian:debian_linux:9.0 CVE-2018-5702 2018-01-15T11:29:00.237-05:00 2019-10-02T20:03:26.223-04:00 6.8 NETWORK MEDIUM NONE PARTIAL PARTIAL PARTIAL http://nvd.nist.gov 2019-03-21T08:31:40.950-04:00 EXPLOIT-DB 43665 DEBIAN DSA-4087 GENTOO GLSA-201806-07 MLIST [debian-lts-announce] 20180118 [SECURITY] [DLA 1246-1] transmission security update MISC https://bugs.chromium.org/p/project-zero/issues/detail?id=1447 MISC https://github.com/transmission/transmission/pull/468 MISC https://twitter.com/taviso/status/951526615145566208 Transmission through 2.92 relies on X-Transmission-Session-Id (which is not a forbidden header for Fetch) for access control, which allows remote attackers to execute arbitrary RPC commands, and consequently write to arbitrary files, via POST requests to /transmission/rpc in conjunction with a DNS rebinding attack.