| Título | Wavlink WL-WN578W2 M78W2_V221110 Command Injection |
|---|
| Descrição | A command injection vulnerability exists in the login module of WAVLINK WL-WN578W2 (firmware version: M78W2_V221110). The vulnerability resides in the ftext function (entry point) and sub_401340 function (core login logic) within the login.cgi file, which processes the ipaddr parameter without input sanitization. When submitting a POST request to the /cgi-bin/login.cgi (a program for handling login requests on the device) endpoint with the page=login action, authenticated attackers can inject arbitrary system commands via the ipaddr parameter. This enables unauthorized execution of system commands, access to sensitive device information, or full compromise of the device. |
|---|
| Fonte | ⚠️ https://github.com/ZZ2266/.github.io/blob/main/WAVLINK/WL-WN578W2/login.cgi/login/readme.md |
|---|
| Utilizador | n0ps1ed (UID 88889) |
|---|
| Submissão | 28/08/2025 18h23 (há 8 meses) |
|---|
| Moderação | 12/09/2025 10h22 (15 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 323751 [Wavlink WL-WN578W2 221110 /cgi-bin/login.cgi sub_401340/sub_401BA4 ipaddr Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|