ГлавнаяУязвимости → CVE-2024-45261
8высокая

CVE-2024-45261

Описание

An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The SID generated for a specific user is not tied to that user itself, which allows other users to potentially use it for authentication. Once an attacker bypasses the application's authentication procedures, they can generate a valid SID, escalate privileges, and gain full control.

Затрагиваемое ПО
Gl-inet Mt2500 firmwareGl-inet Mt2500Gl-inet Axt1800 firmwareGl-inet Axt1800Gl-inet Ax1800 firmwareGl-inet Ax1800Gl-inet B3000 firmwareGl-inet B3000Gl-inet A1300 firmwareGl-inet A1300Gl-inet X300b firmwareGl-inet X300bGl-inet X3000 firmwareGl-inet X3000Gl-inet Xe3000 firmwareGl-inet Xe3000Gl-inet X750 firmwareGl-inet X750Gl-inet Sft1200 firmwareGl-inet Sft1200Gl-inet Mt1300 firmwareGl-inet Mt1300Gl-inet E750 firmwareGl-inet E750Gl-inet Xe300 firmware
CVSS
Балл8 — высокая
ВекторCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Источники
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Bypassing%20Login%20Mechanism%20with%20Passwordless%20User%20Login.md