| 제목 | Wavlink WL-WN578W2 M78W2_V221110 Command Injection |
|---|
| 설명 | A command injection vulnerability exists in the login module of WAVLINK WL-WN578W2 (firmware version: M78W2_V221110). The vulnerability resides in the ftext function (entry point) and sub_401340 function (core login logic) within the login.cgi file, which processes the ipaddr parameter without input sanitization. When submitting a POST request to the /cgi-bin/login.cgi (a program for handling login requests on the device) endpoint with the page=login action, authenticated attackers can inject arbitrary system commands via the ipaddr parameter. This enables unauthorized execution of system commands, access to sensitive device information, or full compromise of the device. |
|---|
| 원천 | ⚠️ https://github.com/ZZ2266/.github.io/blob/main/WAVLINK/WL-WN578W2/login.cgi/login/readme.md |
|---|
| 사용자 | n0ps1ed (UID 88889) |
|---|
| 제출 | 2025. 08. 28. PM 06:23 (10 개월 ago) |
|---|
| 모더레이션 | 2025. 09. 12. AM 10:22 (15 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 323751 [Wavlink WL-WN578W2 221110 /cgi-bin/login.cgi sub_401340/sub_401BA4 ipaddr 권한 상승] |
|---|
| 포인트들 | 20 |
|---|