ГлавнаяУязвимости → CVE-2024-45262
8.8высокая

CVE-2024-45262

Описание

An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The params parameter in the call method of the /rpc endpoint is vulnerable to arbitrary directory traversal, which enables attackers to execute scripts under any path.

Затрагиваемое ПО
Gl-inet Mt2500 firmwareGl-inet Mt2500Gl-inet Axt1800 firmwareGl-inet Axt1800Gl-inet Ax1800 firmwareGl-inet Ax1800Gl-inet B3000 firmwareGl-inet B3000Gl-inet A1300 firmwareGl-inet A1300Gl-inet X300b firmwareGl-inet X300bGl-inet X3000 firmwareGl-inet X3000Gl-inet Xe3000 firmwareGl-inet Xe3000Gl-inet X750 firmwareGl-inet X750Gl-inet Sft1200 firmwareGl-inet Sft1200Gl-inet Mt1300 firmwareGl-inet Mt1300Gl-inet E750 firmwareGl-inet E750Gl-inet Xe300 firmware
CVSS
Балл8.8 — высокая
ВекторCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Источники
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Improper%20Pathname%20Restriction%20Leading%20to%20Path%20Traversal%20in%20Restricted%20Directories.md