Design/Logic Flaw

An issue was discovered on GL.iNet devices running firmware before 3.216. There is an arbitrary file write in which an empty file can be created almost anywhere on the filesystem, as long as the filename and path is no more than 6 characters the working directory is /www...

CVE-2023-31474

An issue was discovered on GL.iNet devices before 3.216. Through the software installation feature, it is possible to inject arbitrary parameters in a request to cause opkg to obtain a list of files in a specific directory, by using the regex feature in a package name...

CVE-2023-31478

An issue was discovered on GL.iNet devices before 3.216. An API endpoint reveals information about the Wi-Fi configuration, including the SSID and key...

CVE-2023-31472

An issue was discovered on GL.iNet devices before 3.216. There is an arbitrary file write in which an empty file can be created anywhere on the filesystem. This is caused by a command injection vulnerability with a filter applied...

CVE-2023-31476

An issue was discovered on GL.iNet devices running firmware before 3.216. There is an arbitrary file write in which an empty file can be created almost anywhere on the filesystem, as long as the filename and path is no more than 6 characters the working directory is /www...

GL.iNet devices 安全漏洞

GL.iNet devices are a series of hardware devices from China Guanglian Zhitong GL.iNet Company. A security vulnerability exists in GL.iNet devices prior to version 3.216, which originates from the ability to use regular expression functionality in package names via the software installation featur...

GL.iNet devices 命令注入漏洞

GL.iNet devices are a series of hardware devices from China's Guanglian Zhitong GL.iNet company. A command injection vulnerability exists in GL.iNet devices prior to version 3.216, which stems from an arbitrary file write vulnerability that can create an empty file anywhere on the file system...

CVE-2023-31472

An issue was discovered on GL.iNet devices before 3.216. There is an arbitrary file write in which an empty file can be created anywhere on the filesystem. This is caused by a command injection vulnerability with a filter applied...

PT-2023-23353 · Gl.Inet · Gl.Inet

Name of the Vulnerable Software and Affected Versions: GL.iNet devices versions prior to 3.216 Description: An issue was discovered that allows injecting arbitrary parameters in a request to cause opkg to obtain a list of files in a specific directory, by using the regex feature in a package name...

PT-2023-23355 · Gl.Inet · Gl.Inet

Name of the Vulnerable Software and Affected Versions: GL.iNet devices running firmware prior to 3.216 Description: An issue allows for arbitrary file write, enabling the creation of an empty file almost anywhere on the filesystem, given that the filename and path are no more than 6 characters. T...

PT-2023-23357 · Gl.Inet · Gl.Inet

Name of the Vulnerable Software and Affected Versions: GL.iNet devices versions prior to 3.216 Description: An issue was discovered that reveals information about the Wi-Fi configuration, including the SSID and key, through an API endpoint. Recommendations: For versions prior to 3.216, update to...

CVE-2023-31478

GL.iNet devices prior to firmware version 3.216 are affected by CVE-2023-31478. An API endpoint (mesh status) reveals Wi‑Fi configuration data, including SSID and password, potentially enabling unauthenticated access to the wireless network. The Nuclei template and related sources corroborate thi...

CVE-2023-31474

GL.iNet devices before 3.216 are affected by CVE-2023-31474 due to a flaw in the software installation feature that lets an attacker inject arbitrary parameters via a regex in a package name, causing opkg to list files in a target directory. The issue stems from how package-name regex handling ca...

CVE-2023-31476

GL.iNet devices with firmware older than 3.216 are affected by an arbitrary file write vulnerability that lets an empty file be created almost anywhere in the filesystem, as long as the filename and path are ≤ 6 characters and the working directory is /www. Impact details from CVE indicate potent...

CVE-2023-31472

GL.iNet devices prior to 3.216 are affected by a command-injection–driven arbitrary file-write vulnerability that allows creating empty files anywhere on the filesystem. Root cause: an input filter failure enables unintended file writes via a crafted command. Impact: potential unauthorized file c...

CVE-2023-31476

An issue was discovered on GL.iNet devices running firmware before 3.216. There is an arbitrary file write in which an empty file can be created almost anywhere on the filesystem, as long as the filename and path is no more than 6 characters the working directory is /www...

CVE-2023-31478

An issue was discovered on GL.iNet devices before 3.216. An API endpoint reveals information about the Wi-Fi configuration, including the SSID and key...

CVE-2023-29778

GL.iNET MT3000 4.1.0 Release 2 is vulnerable to OS Command Injection via /usr/lib/oui-httpd/rpc/logread...

Command injection

GL.iNET MT3000 4.1.0 Release 2 is vulnerable to OS Command Injection via /usr/lib/oui-httpd/rpc/logread...

CVE-2023-29778

GL.iNET MT3000 4.1.0 Release 2 is vulnerable to OS Command Injection via /usr/lib/oui-httpd/rpc/logread...