| 标题 | H3C Technologies Co., Ltd. H3C Magic NX30 Pro \ Magic NX15 \ H3C NX400 \ H3C Magic R3010 <=V100R014 Command Injection |
|---|
| 描述 | In the `H3C Magic` home router series, including `H3C Magic NX30 Pro`, `Magic NX15`, `H3C NX400`, and `H3C Magic R3010`, an attacker can send a specially crafted `POST` request to the `/api/wizard/getsyncpppoecfg` endpoint without authorization, exploiting command injection to gain a root shell on the router. |
|---|
| 来源 | ⚠️ https://gist.github.com/mono7s/dd7a0a1ec444bb2c228590d298e37a5d |
|---|
| 用户 | mono7s (UID 83092) |
|---|
| 提交 | 2025-03-21 15時03分 (1 年前) |
|---|
| 管理 | 2025-04-13 14時28分 (23 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 304581 [H3C Magic NX15/Magic NX400/Magic R3010 直到 V100R014 HTTP POST Request getsyncpppoecfg FCGI_WizardProtoProcess 权限提升] |
|---|
| 积分 | 17 |
|---|