| عنوان | Wavlink WL-WN578W2 M78W2_V221110 Command Injection |
|---|
| الوصف | A command injection vulnerability exists in the login module of WAVLINK WL-WN578W2 (firmware version: M78W2_V221110). The vulnerability resides in the ftext function (entry point) and sub_401340 function (core login logic) within the login.cgi file, which processes the ipaddr parameter without input sanitization. When submitting a POST request to the /cgi-bin/login.cgi (a program for handling login requests on the device) endpoint with the page=login action, authenticated attackers can inject arbitrary system commands via the ipaddr parameter. This enables unauthorized execution of system commands, access to sensitive device information, or full compromise of the device. |
|---|
| المصدر | ⚠️ https://github.com/ZZ2266/.github.io/blob/main/WAVLINK/WL-WN578W2/login.cgi/login/readme.md |
|---|
| المستخدم | n0ps1ed (UID 88889) |
|---|
| ارسال | 28/08/2025 06:23 PM (8 أشهر منذ) |
|---|
| الاعتدال | 12/09/2025 10:22 AM (15 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 323751 [Wavlink WL-WN578W2 221110 /cgi-bin/login.cgi sub_401340/sub_401BA4 ipaddr تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|