一、 漏洞 CVE-2024-48705 基础信息
漏洞信息
                                        # N/A

### 概述

Wavlink AC1200 路由器在特定固件版本中存在一个**命令注入漏洞**,攻击者在认证后可通过该漏洞执行任意命令。

### 影响版本

- `M32A3_V1410_230602`
- `M32A3_V1410_240222`

### 细节

漏洞存在于 `adm.cgi` 二进制文件中的 `"set_sys_adm"` 函数中,攻击者在重置密码时,可控制用户输入的 `"newpass"` 字段,造成命令注入。

### 影响

攻击者在成功通过身份验证后,可利用该漏洞注入并执行任意系统命令,可能导致系统被完全控制。
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
N/A
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Wavlink AC1200 with firmware versions M32A3_V1410_230602 and M32A3_V1410_240222 are vulnerable to a post-authentication command injection while resetting the password. This vulnerability is specifically found within the "set_sys_adm" function of the "adm.cgi" binary, and is due to improper santization of the user provided "newpass" field
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
WAVLINK AC1200 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
WAVLINK AC1200是中国睿因(WAVLINK)公司的一个双频大功率无线路由器。 Wavlink AC1200 M32A3_V1410_230602版本和M32A3_V1410_240222版本版本存在安全漏洞,该漏洞源于密码重置时对newpass字段清理不当,可能导致命令注入。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
其他
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2024-48705 的公开POC
# POC 描述 源链接 神龙链接
1 Wavlink AC1200 with firmware versions M32A3_V1410_230602 and M32A3_V1410_240222 are vulnerable to a post-authentication command injection while resetting the password. This vulnerability is specifically found within the "set_sys_adm" function of the "adm.cgi" binary, and is due to improper santization of the user provided "newpass" field. https://github.com/L41KAA/CVE-2024-48705 POC详情
三、漏洞 CVE-2024-48705 的情报信息

  • 标题: 【New message】Home and Business Networking Equipment &Wireless Audio and Video Transmission Equipment -Wavlink.com -- 🔗来源链接

    标签:

    神龙速读
    【New message】Home and Business Networking Equipment &Wireless Audio and Video Transmission Equipment -Wavlink.com

  • 标题: GitHub - L41KAA/CVE-2024-48705: Wavlink AC1200 with firmware versions M32A3_V1410_230602 and M32A3_V1410_240222 are vulnerable to a post-authentication command injection while resetting the password. This vulnerability is specifically found within the "set_sys_adm" function of the "adm.cgi" binary, and is due to improper santization of the user provided "newpass" field. -- 🔗来源链接

    标签:

    神龙速读
    GitHub - L41KAA/CVE-2024-48705: Wavlink AC1200 with firmware versions M32A3_V1410_230602 and M32A3_V1410_240222 are vulnerable to a post-authentication command injection while resetting the password. This vulnerability is specifically found within the "set_sys_adm" function of the "adm.cgi" binary, and is due to improper santization of the user provided "newpass" field.
  • https://nvd.nist.gov/vuln/detail/CVE-2024-48705
四、漏洞 CVE-2024-48705 的评论

暂无评论

发表评论