Several Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized which allows command injection via the "key" parameter in a login request. It has been tested on Wavlink WN575A4 and WN579X3 devices, but other products may be affected.
Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Authentication is not required to exploit this vulnerability.
Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page.
Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
The exploit targets a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.
Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
it was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument. The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.
Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
Prince Chaddha
Prince Chaddha
GwanYeong Kim
Muhammad Daffa
Sandeep Singh
Regala
Dwi Siswanto
sandeep
PikPikcU
Dhiyaneshwaran