| タイトル | Wavlink WL-WN578W2 M78W2_V221110 Command Injection |
|---|
| 説明 | A command injection vulnerability exists in the login module of WAVLINK WL-WN578W2 (firmware version: M78W2_V221110). The vulnerability resides in the ftext function (entry point) and sub_401340 function (core login logic) within the login.cgi file, which processes the ipaddr parameter without input sanitization. When submitting a POST request to the /cgi-bin/login.cgi (a program for handling login requests on the device) endpoint with the page=login action, authenticated attackers can inject arbitrary system commands via the ipaddr parameter. This enables unauthorized execution of system commands, access to sensitive device information, or full compromise of the device. |
|---|
| ソース | ⚠️ https://github.com/ZZ2266/.github.io/blob/main/WAVLINK/WL-WN578W2/login.cgi/login/readme.md |
|---|
| ユーザー | n0ps1ed (UID 88889) |
|---|
| 送信 | 2025年08月28日 18:23 (8 月 ago) |
|---|
| モデレーション | 2025年09月12日 10:22 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 323751 [Wavlink WL-WN578W2 221110 /cgi-bin/login.cgi sub_401340/sub_401BA4 ipaddr 特権昇格] |
|---|
| ポイント | 20 |
|---|