CVSS: 8.3EPSS: 0%CPEs: 24EXPL: 1CVE-2023-50922
https://notcve.org/view.php?id=CVE-2023-50922
03 Jan 2024 — An issue was discovered on GL.iNet devices through 4.5.0. Attackers who are able to steal the AdminToken cookie can execute arbitrary code by uploading a crontab-formatted file to a specific directory and waiting for its execution. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7. Se descubrió un problema en dispositivos GL.iNet hasta 4.5.0. Los atacantes que pueden robar l... • https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Remote%20code%20execution%20due%20to%20gl_crontabs.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 24EXPL: 0CVE-2023-50921
https://notcve.org/view.php?id=CVE-2023-50921
03 Jan 2024 — An issue was discovered on GL.iNet devices through 4.5.0. Attackers can invoke the add_user interface in the system module to gain root privileges. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7. Se descubrió un problema en dispositivos GL.iNet hasta 4.5.0. Los atacantes pueden invocar la interfaz add_user en el módulo de system para obtener privilegios de root. • https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Add_user_vulnerability.md •
CVSS: 7.8EPSS: 0%CPEs: 24EXPL: 1CVE-2023-50445 – GL.iNet Unauthenticated Remote Command Execution
https://notcve.org/view.php?id=CVE-2023-50445
28 Dec 2023 — Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows local attackers to execute arbitrary code via the get_system_log and get_crash_log functions of the logread module, as well as the upgrade_online function of the upgrade module. Vulnerabilidad de inyección de Shell GL.iNet A1300 v4.4.6 AX1800 v4.4.6 AXT1800 v4.4.6 MT3000 v4.4.6 MT... • http://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •