OS command injection in the guest Wi-Fi settings feature in /cgi-bin/luci on Xiaomi R3P before 2.14.5, R3C before 2.12.15, R3 before 2.22.15, and R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.
CPE | Name | Operator | Version |
---|---|---|---|
xiaomi_r3 | lt | 2.22.15 | |
xiaomi_r3c_firmware | lt | 2.12.15 | |
xiaomi_r3d_firmware | lt | 2.26.4 | |
xiaomi_r3p_firmware | lt | 2.14.5 |