| Название | Wavlink WL-WN578W2 M78W2_V221110 Command Injection |
|---|
| Описание | A command injection vulnerability exists in the login module of WAVLINK WL-WN578W2 (firmware version: M78W2_V221110). The vulnerability resides in the ftext function (entry point) and sub_401340 function (core login logic) within the login.cgi file, which processes the ipaddr parameter without input sanitization. When submitting a POST request to the /cgi-bin/login.cgi (a program for handling login requests on the device) endpoint with the page=login action, authenticated attackers can inject arbitrary system commands via the ipaddr parameter. This enables unauthorized execution of system commands, access to sensitive device information, or full compromise of the device. |
|---|
| Источник | ⚠️ https://github.com/ZZ2266/.github.io/blob/main/WAVLINK/WL-WN578W2/login.cgi/login/readme.md |
|---|
| Пользователь | n0ps1ed (UID 88889) |
|---|
| Представление | 28.08.2025 18:23 (8 месяцы назад) |
|---|
| Модерация | 12.09.2025 10:22 (15 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 323751 [Wavlink WL-WN578W2 221110 /cgi-bin/login.cgi sub_401340/sub_401BA4 ipaddr эскалация привилегий] |
|---|
| Баллы | 20 |
|---|