Vulnerabilites related to linksys - wrt54gl
Vulnerability from fkie_nvd
Published
2023-01-09 21:15
Modified
2024-11-21 07:27
Severity ?
6.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A null pointer dereference vulnerability exists in Linksys WRT54GL Wireless-G Broadband Router with firmware <= 4.30.18.006. A null pointer dereference in the soap_action function within the upnp binary can be triggered by an unauthenticated attacker via a malicious POST request invoking the AddPortMapping action.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| trellixpsirt@trellix.com | https://youtu.be/73-1lhvJPNg | Exploit, Third Party Advisory | |
| trellixpsirt@trellix.com | https://youtu.be/RfWVYCUBNZ0 | Exploit, Third Party Advisory | |
| trellixpsirt@trellix.com | https://youtu.be/TeWAmZaKQ_w | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://youtu.be/73-1lhvJPNg | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://youtu.be/RfWVYCUBNZ0 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://youtu.be/TeWAmZaKQ_w | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linksys | wrt54gl_firmware | * | |
| linksys | wrt54gl | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linksys:wrt54gl_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC08DC7C-7FBB-4CD6-89F1-7F4997BC9CAE",
"versionEndIncluding": "4.30.18.006",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:linksys:wrt54gl:-:*:*:*:*:*:*:*",
"matchCriteriaId": "04AA9149-2F72-4585-8A41-66AE3D573197",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A null pointer dereference vulnerability exists in Linksys WRT54GL Wireless-G Broadband Router with firmware \u003c= 4.30.18.006. A null pointer dereference in the soap_action function within the upnp binary can be triggered by an unauthenticated attacker via a malicious POST request invoking the AddPortMapping action."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de desreferencia de puntero nulo en el router Linksys WRT54GL Wireless-G Broadband con firmware \u0026lt;= 4.30.18.006. Un atacante no autenticado puede desencadenar una desreferencia de puntero nulo en la funci\u00f3n SOAP_action dentro del binario upnp a trav\u00e9s de una solicitud POST maliciosa que invoca la acci\u00f3n AddPortMapping."
}
],
"id": "CVE-2022-43972",
"lastModified": "2024-11-21T07:27:27.420",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "trellixpsirt@trellix.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-09T21:15:10.920",
"references": [
{
"source": "trellixpsirt@trellix.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/73-1lhvJPNg"
},
{
"source": "trellixpsirt@trellix.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/RfWVYCUBNZ0"
},
{
"source": "trellixpsirt@trellix.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/TeWAmZaKQ_w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/73-1lhvJPNg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/RfWVYCUBNZ0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/TeWAmZaKQ_w"
}
],
"sourceIdentifier": "trellixpsirt@trellix.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "trellixpsirt@trellix.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-476"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-09 21:15
Modified
2024-11-21 07:27
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
An arbitrary code execution vulnerability exisits in Linksys WRT54GL Wireless-G Broadband Router with firmware <= 4.30.18.006. The Check_TSSI function within the httpd binary uses unvalidated user input in the construction of a system command. An authenticated attacker with administrator privileges can leverage this vulnerability over the network via a malicious POST request to /apply.cgi to execute arbitrary commands on the underlying Linux operating system as root.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| trellixpsirt@trellix.com | https://youtu.be/73-1lhvJPNg | Exploit, Third Party Advisory | |
| trellixpsirt@trellix.com | https://youtu.be/RfWVYCUBNZ0 | Exploit, Third Party Advisory | |
| trellixpsirt@trellix.com | https://youtu.be/TeWAmZaKQ_w | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://youtu.be/73-1lhvJPNg | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://youtu.be/RfWVYCUBNZ0 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://youtu.be/TeWAmZaKQ_w | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linksys | wrt54gl_firmware | * | |
| linksys | wrt54gl | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linksys:wrt54gl_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC08DC7C-7FBB-4CD6-89F1-7F4997BC9CAE",
"versionEndIncluding": "4.30.18.006",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:linksys:wrt54gl:-:*:*:*:*:*:*:*",
"matchCriteriaId": "04AA9149-2F72-4585-8A41-66AE3D573197",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary code execution vulnerability exisits in Linksys WRT54GL Wireless-G Broadband Router with firmware \u003c= 4.30.18.006. The Check_TSSI function within the httpd binary uses unvalidated user input in the construction of a system command. An authenticated attacker with administrator privileges can leverage this vulnerability over the network via a malicious POST request to /apply.cgi to execute arbitrary commands on the underlying Linux operating system as root."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo arbitrario en el router Linksys WRT54GL Wireless-G Broadband con firmware \u0026lt;= 4.30.18.006. La funci\u00f3n Check_TSSI dentro del binario httpd utiliza entradas de usuario no validadas en la construcci\u00f3n de un comando del sistema. Un atacante autenticado con privilegios de administrador puede aprovechar esta vulnerabilidad en la red mediante una solicitud POST maliciosa a /apply.cgi para ejecutar comandos arbitrarios en el sistema operativo Linux subyacente como root."
}
],
"id": "CVE-2022-43973",
"lastModified": "2024-11-21T07:27:27.560",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "trellixpsirt@trellix.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-09T21:15:10.997",
"references": [
{
"source": "trellixpsirt@trellix.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/73-1lhvJPNg"
},
{
"source": "trellixpsirt@trellix.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/RfWVYCUBNZ0"
},
{
"source": "trellixpsirt@trellix.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/TeWAmZaKQ_w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/73-1lhvJPNg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/RfWVYCUBNZ0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/TeWAmZaKQ_w"
}
],
"sourceIdentifier": "trellixpsirt@trellix.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "trellixpsirt@trellix.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-10 06:15
Modified
2024-11-21 08:50
Severity ?
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
A vulnerability was found in Linksys WRT54GL 4.30.18. It has been classified as problematic. This affects an unknown part of the file /wlaninfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier VDB-253329 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/2 | Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.253329 | Permissions Required, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?id.253329 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/2 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?ctiid.253329 | Permissions Required, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.253329 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linksys | wrt54gl_firmware | 4.30.18 | |
| linksys | wrt54gl | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linksys:wrt54gl_firmware:4.30.18:*:*:*:*:*:*:*",
"matchCriteriaId": "1173CC78-A954-4989-A72C-CF349C7BC4D2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:linksys:wrt54gl:-:*:*:*:*:*:*:*",
"matchCriteriaId": "04AA9149-2F72-4585-8A41-66AE3D573197",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Linksys WRT54GL 4.30.18. It has been classified as problematic. This affects an unknown part of the file /wlaninfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier VDB-253329 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en Linksys WRT54GL 4.30.18. Ha sido clasificada como problem\u00e1tica. Una parte desconocida del archivo /wlaninfo.htm del componente Web Management Interface afecta a una parte desconocida. La manipulaci\u00f3n conduce a la divulgaci\u00f3n de informaci\u00f3n. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-253329. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."
}
],
"id": "CVE-2024-1405",
"lastModified": "2024-11-21T08:50:30.937",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-10T06:15:46.170",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/2"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.253329"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.253329"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.253329"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.253329"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-24 16:30
Modified
2025-04-09 00:30
Severity ?
Summary
Buffer overflow on the Linksys WRT54GL wireless router allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.10 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:linksys:wrt54gl:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74623411-FCF0-4ECA-8D3E-F7CC6DF8AD65",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow on the Linksys WRT54GL wireless router allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.10 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes."
},
{
"lang": "es",
"value": "Desbordamiento de b\u00fafer en el router inal\u00e1mbrico Linksys WRT54GL permite a los atacantes remotos ejecutar arbitrariamente c\u00f3digo a trav\u00e9s de vectores no especificados, como se demuestra en cierto m\u00f3dulo en VulnDisco Pack Professional v8.10 hasta v8.11. NOTA: como en 20090917, esta informaci\u00f3n no tiene informaci\u00f3n de la acci\u00f3n. Sin embargo, debido a que el autor VulnDisco Pack es un investigador confianza, se le ha asignado un identificador CVE con fines de seguimiento."
}
],
"id": "CVE-2009-3341",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-09-24T16:30:01.733",
"references": [
{
"source": "cve@mitre.org",
"url": "http://intevydis.com/vd-list.shtml"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36571"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id?1022827"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://intevydis.com/vd-list.shtml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36571"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1022827"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-22 17:15
Modified
2025-01-28 16:15
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
There is a command injection vulnerability in the Linksys WRT54GL router with firmware version 4.30.18.006. If an attacker gains web management privileges, they can inject commands into the post request parameters wl_ant, wl_rate, WL_atten_ctl, ttcp_num, ttcp_size in the httpd s Start_EPI() function, thereby gaining shell privileges.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://linksys.com | Product | |
| cve@mitre.org | https://github.com/D2y6p/CVE/blob/main/Linksys/CVE-2023-31742/Linksys_WRT54GL_RCE.pdf | Exploit, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://linksys.com | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/D2y6p/CVE/blob/main/Linksys/CVE-2023-31742/Linksys_WRT54GL_RCE.pdf | Exploit, Mitigation, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linksys | wrt54gl_firmware | 4.30.18.006 | |
| linksys | wrt54gl | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linksys:wrt54gl_firmware:4.30.18.006:*:*:*:*:*:*:*",
"matchCriteriaId": "ABB375A9-7E02-4B09-8CC6-AAC4E5C6ABEC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:linksys:wrt54gl:-:*:*:*:*:*:*:*",
"matchCriteriaId": "04AA9149-2F72-4585-8A41-66AE3D573197",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is a command injection vulnerability in the Linksys WRT54GL router with firmware version 4.30.18.006. If an attacker gains web management privileges, they can inject commands into the post request parameters wl_ant, wl_rate, WL_atten_ctl, ttcp_num, ttcp_size in the httpd s Start_EPI() function, thereby gaining shell privileges."
}
],
"id": "CVE-2023-31742",
"lastModified": "2025-01-28T16:15:35.723",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-05-22T17:15:09.477",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://linksys.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/D2y6p/CVE/blob/main/Linksys/CVE-2023-31742/Linksys_WRT54GL_RCE.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "http://linksys.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/D2y6p/CVE/blob/main/Linksys/CVE-2023-31742/Linksys_WRT54GL_RCE.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-09 23:15
Modified
2024-11-21 08:50
Severity ?
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A vulnerability was found in Linksys WRT54GL 4.30.18 and classified as problematic. Affected by this issue is some unknown functionality of the file /SysInfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-253328. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/1 | Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.253328 | Permissions Required, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?id.253328 | Permissions Required, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/1 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?ctiid.253328 | Permissions Required, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.253328 | Permissions Required, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linksys | wrt54gl_firmware | 4.30.18 | |
| linksys | wrt54gl | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linksys:wrt54gl_firmware:4.30.18:*:*:*:*:*:*:*",
"matchCriteriaId": "1173CC78-A954-4989-A72C-CF349C7BC4D2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:linksys:wrt54gl:-:*:*:*:*:*:*:*",
"matchCriteriaId": "04AA9149-2F72-4585-8A41-66AE3D573197",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Linksys WRT54GL 4.30.18 and classified as problematic. Affected by this issue is some unknown functionality of the file /SysInfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-253328. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "es",
"value": "Una vulnerabilidad fue encontrada en Linksys WRT54GL 4.30.18 y clasificada como problem\u00e1tica. Una funci\u00f3n desconocida del archivo /SysInfo.htm del componente Web Management Interface es afectada por esta vulnerabilidad. La manipulaci\u00f3n conduce a la divulgaci\u00f3n de informaci\u00f3n. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-253328. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."
}
],
"id": "CVE-2024-1404",
"lastModified": "2024-11-21T08:50:30.790",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-09T23:15:08.243",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/1"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.253328"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?id.253328"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.253328"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?id.253328"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-01-10 23:46
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:linksys:wrt54gl:4.30.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8608E772-F7D8-47CA-84B7-BE992347D9CD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators."
},
{
"lang": "es",
"value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en apply.cgi del enrutador Linksys WRT54GL Wireless-G Broadband con firmware 4.30.9 permite a atacantes remotos llevar a cabo acciones como administrador."
}
],
"id": "CVE-2008-0228",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-01-10T23:46:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28364"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/3534"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/485853/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/486362/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39502"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28364"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/3534"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/485853/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/486362/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39502"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-09 21:15
Modified
2024-11-21 07:27
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
A buffer overflow vulnerability exists in Linksys WRT54GL Wireless-G Broadband Router with firmware <= 4.30.18.006. A stack-based buffer overflow in the Start_EPI function within the httpd binary allows an authenticated attacker with administrator privileges to execute arbitrary commands on the underlying Linux operating system as root. This vulnerablity can be triggered over the network via a malicious POST request to /apply.cgi.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| trellixpsirt@trellix.com | https://youtu.be/73-1lhvJPNg | Exploit, Third Party Advisory | |
| trellixpsirt@trellix.com | https://youtu.be/RfWVYCUBNZ0 | Exploit, Third Party Advisory | |
| trellixpsirt@trellix.com | https://youtu.be/TeWAmZaKQ_w | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://youtu.be/73-1lhvJPNg | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://youtu.be/RfWVYCUBNZ0 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://youtu.be/TeWAmZaKQ_w | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linksys | wrt54gl_firmware | * | |
| linksys | wrt54gl | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linksys:wrt54gl_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC08DC7C-7FBB-4CD6-89F1-7F4997BC9CAE",
"versionEndIncluding": "4.30.18.006",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:linksys:wrt54gl:-:*:*:*:*:*:*:*",
"matchCriteriaId": "04AA9149-2F72-4585-8A41-66AE3D573197",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A buffer overflow vulnerability exists in Linksys WRT54GL Wireless-G Broadband Router with firmware \u003c= 4.30.18.006. A stack-based buffer overflow in the Start_EPI function within the httpd binary allows an authenticated attacker with administrator privileges to execute arbitrary commands on the underlying Linux operating system as root. This vulnerablity can be triggered over the network via a malicious POST request to /apply.cgi."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de desbordamiento del b\u00fafer en el router Linksys WRT54GL Wireless-G Broadband con firmware \u0026lt;= 4.30.18.006. Un desbordamiento de b\u00fafer en la regi\u00f3n stack de la memoria en la funci\u00f3n Start_EPI dentro del binario httpd permite a un atacante autenticado con privilegios de administrador ejecutar comandos arbitrarios en el sistema operativo Linux subyacente como root. Esta vulnerabilidad se puede activar a trav\u00e9s de la red mediante una solicitud POST maliciosa a /apply.cgi."
}
],
"id": "CVE-2022-43970",
"lastModified": "2024-11-21T07:27:27.067",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "trellixpsirt@trellix.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-09T21:15:10.750",
"references": [
{
"source": "trellixpsirt@trellix.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/73-1lhvJPNg"
},
{
"source": "trellixpsirt@trellix.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/RfWVYCUBNZ0"
},
{
"source": "trellixpsirt@trellix.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/TeWAmZaKQ_w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/73-1lhvJPNg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/RfWVYCUBNZ0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/TeWAmZaKQ_w"
}
],
"sourceIdentifier": "trellixpsirt@trellix.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-120"
}
],
"source": "trellixpsirt@trellix.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-10 08:15
Modified
2024-11-21 08:50
Severity ?
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
A vulnerability was found in Linksys WRT54GL 4.30.18. It has been declared as problematic. This vulnerability affects unknown code of the file /SysInfo1.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. VDB-253330 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/3 | Exploit, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.253330 | Permissions Required | |
| cna@vuldb.com | https://vuldb.com/?id.253330 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/3 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?ctiid.253330 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.253330 | Permissions Required |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linksys | wrt54gl_firmware | 4.30.18 | |
| linksys | wrt54gl | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linksys:wrt54gl_firmware:4.30.18:*:*:*:*:*:*:*",
"matchCriteriaId": "1173CC78-A954-4989-A72C-CF349C7BC4D2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:linksys:wrt54gl:-:*:*:*:*:*:*:*",
"matchCriteriaId": "04AA9149-2F72-4585-8A41-66AE3D573197",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Linksys WRT54GL 4.30.18. It has been declared as problematic. This vulnerability affects unknown code of the file /SysInfo1.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. VDB-253330 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en Linksys WRT54GL 4.30.18. Ha sido declarada problem\u00e1tica. Esta vulnerabilidad afecta a un c\u00f3digo desconocido del archivo /SysInfo1.htm del componente Web Management Interface. La manipulaci\u00f3n conduce a la divulgaci\u00f3n de informaci\u00f3n. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. VDB-253330 es el identificador asignado a esta vulnerabilidad. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."
}
],
"id": "CVE-2024-1406",
"lastModified": "2024-11-21T08:50:31.093",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-10T08:15:07.170",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/3"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required"
],
"url": "https://vuldb.com/?ctiid.253330"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required"
],
"url": "https://vuldb.com/?id.253330"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://vuldb.com/?ctiid.253330"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://vuldb.com/?id.253330"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-31742 (GCVE-0-2023-31742)
Vulnerability from cvelistv5
Published
2023-05-22 00:00
Modified
2025-01-28 16:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
There is a command injection vulnerability in the Linksys WRT54GL router with firmware version 4.30.18.006. If an attacker gains web management privileges, they can inject commands into the post request parameters wl_ant, wl_rate, WL_atten_ctl, ttcp_num, ttcp_size in the httpd s Start_EPI() function, thereby gaining shell privileges.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:56:35.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://linksys.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/D2y6p/CVE/blob/main/Linksys/CVE-2023-31742/Linksys_WRT54GL_RCE.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-31742",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T16:03:26.283652Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T16:06:33.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "There is a command injection vulnerability in the Linksys WRT54GL router with firmware version 4.30.18.006. If an attacker gains web management privileges, they can inject commands into the post request parameters wl_ant, wl_rate, WL_atten_ctl, ttcp_num, ttcp_size in the httpd s Start_EPI() function, thereby gaining shell privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-22T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://linksys.com"
},
{
"url": "https://github.com/D2y6p/CVE/blob/main/Linksys/CVE-2023-31742/Linksys_WRT54GL_RCE.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-31742",
"datePublished": "2023-05-22T00:00:00.000Z",
"dateReserved": "2023-04-29T00:00:00.000Z",
"dateUpdated": "2025-01-28T16:06:33.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43973 (GCVE-0-2022-43973)
Vulnerability from cvelistv5
Published
2023-01-09 00:00
Modified
2025-04-09 14:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
An arbitrary code execution vulnerability exisits in Linksys WRT54GL Wireless-G Broadband Router with firmware <= 4.30.18.006. The Check_TSSI function within the httpd binary uses unvalidated user input in the construction of a system command. An authenticated attacker with administrator privileges can leverage this vulnerability over the network via a malicious POST request to /apply.cgi to execute arbitrary commands on the underlying Linux operating system as root.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linksys | WRT54GL Wireless-G Broadband Router |
Version: Firmware < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:47:04.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://youtu.be/73-1lhvJPNg"
},
{
"tags": [
"x_transferred"
],
"url": "https://youtu.be/TeWAmZaKQ_w"
},
{
"tags": [
"x_transferred"
],
"url": "https://youtu.be/RfWVYCUBNZ0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-43973",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T14:19:02.848808Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T14:20:48.368Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WRT54GL Wireless-G Broadband Router",
"vendor": "Linksys",
"versions": [
{
"lessThanOrEqual": "4.30.18.006",
"status": "affected",
"version": "Firmware",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jessie Chick of Trellix ARC"
}
],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary code execution vulnerability exisits in Linksys WRT54GL Wireless-G Broadband Router with firmware \u003c= 4.30.18.006. The Check_TSSI function within the httpd binary uses unvalidated user input in the construction of a system command. An authenticated attacker with administrator privileges can leverage this vulnerability over the network via a malicious POST request to /apply.cgi to execute arbitrary commands on the underlying Linux operating system as root."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-09T00:00:00.000Z",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"url": "https://youtu.be/73-1lhvJPNg"
},
{
"url": "https://youtu.be/TeWAmZaKQ_w"
},
{
"url": "https://youtu.be/RfWVYCUBNZ0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Arbitrary code execution in Linksys WRT54GL",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2022-43973",
"datePublished": "2023-01-09T00:00:00.000Z",
"dateReserved": "2022-10-28T00:00:00.000Z",
"dateUpdated": "2025-04-09T14:20:48.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43972 (GCVE-0-2022-43972)
Vulnerability from cvelistv5
Published
2023-01-09 00:00
Modified
2025-04-09 14:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-476 - NULL Pointer Dereference
Summary
A null pointer dereference vulnerability exists in Linksys WRT54GL Wireless-G Broadband Router with firmware <= 4.30.18.006. A null pointer dereference in the soap_action function within the upnp binary can be triggered by an unauthenticated attacker via a malicious POST request invoking the AddPortMapping action.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linksys | WRT54GL Wireless-G Broadband Router |
Version: Firmware < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:47:05.079Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://youtu.be/73-1lhvJPNg"
},
{
"tags": [
"x_transferred"
],
"url": "https://youtu.be/TeWAmZaKQ_w"
},
{
"tags": [
"x_transferred"
],
"url": "https://youtu.be/RfWVYCUBNZ0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-43972",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T14:21:57.291460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T14:22:24.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WRT54GL Wireless-G Broadband Router",
"vendor": "Linksys",
"versions": [
{
"lessThanOrEqual": "4.30.18.006",
"status": "affected",
"version": "Firmware",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jessie Chick of Trellix ARC"
}
],
"descriptions": [
{
"lang": "en",
"value": "A null pointer dereference vulnerability exists in Linksys WRT54GL Wireless-G Broadband Router with firmware \u003c= 4.30.18.006. A null pointer dereference in the soap_action function within the upnp binary can be triggered by an unauthenticated attacker via a malicious POST request invoking the AddPortMapping action."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-09T00:00:00.000Z",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"url": "https://youtu.be/73-1lhvJPNg"
},
{
"url": "https://youtu.be/TeWAmZaKQ_w"
},
{
"url": "https://youtu.be/RfWVYCUBNZ0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Null pointer dereference in Linksys WRT54GL",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2022-43972",
"datePublished": "2023-01-09T00:00:00.000Z",
"dateReserved": "2022-10-28T00:00:00.000Z",
"dateUpdated": "2025-04-09T14:22:24.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1404 (GCVE-0-2024-1404)
Vulnerability from cvelistv5
Published
2024-02-09 22:31
Modified
2025-05-15 19:39
Severity ?
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Information Disclosure
Summary
A vulnerability was found in Linksys WRT54GL 4.30.18 and classified as problematic. Affected by this issue is some unknown functionality of the file /SysInfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-253328. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.253328 | vdb-entry | |
| https://vuldb.com/?ctiid.253328 | signature, permissions-required | |
| https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/1 | exploit |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:21.184Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://vuldb.com/?id.253328"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.253328"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1404",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:49:53.602829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T19:39:00.189Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Web Management Interface"
],
"product": "WRT54GL",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "4.30.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "leetsun (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Linksys WRT54GL 4.30.18 and classified as problematic. Affected by this issue is some unknown functionality of the file /SysInfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-253328. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Linksys WRT54GL 4.30.18 gefunden. Sie wurde als problematisch eingestuft. Betroffen davon ist ein unbekannter Prozess der Datei /SysInfo.htm der Komponente Web Management Interface. Durch das Beeinflussen mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T22:31:04.132Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.253328"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.253328"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/1"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-02-09T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-02-09T17:18:51.000Z",
"value": "VulDB entry last update"
}
],
"title": "Linksys WRT54GL Web Management Interface SysInfo.htm information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-1404",
"datePublished": "2024-02-09T22:31:04.132Z",
"dateReserved": "2024-02-09T16:13:25.789Z",
"dateUpdated": "2025-05-15T19:39:00.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1405 (GCVE-0-2024-1405)
Vulnerability from cvelistv5
Published
2024-02-10 05:31
Modified
2025-05-15 19:38
Severity ?
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Information Disclosure
Summary
A vulnerability was found in Linksys WRT54GL 4.30.18. It has been classified as problematic. This affects an unknown part of the file /wlaninfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier VDB-253329 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.253329 | vdb-entry | |
| https://vuldb.com/?ctiid.253329 | signature, permissions-required | |
| https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/2 | exploit |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:20.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://vuldb.com/?id.253329"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.253329"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1405",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:49:50.680074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T19:38:53.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Web Management Interface"
],
"product": "WRT54GL",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "4.30.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "leetsun (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Linksys WRT54GL 4.30.18. It has been classified as problematic. This affects an unknown part of the file /wlaninfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier VDB-253329 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Linksys WRT54GL 4.30.18 ausgemacht. Sie wurde als problematisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Datei /wlaninfo.htm der Komponente Web Management Interface. Durch Beeinflussen mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-10T05:31:03.693Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.253329"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.253329"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/2"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-02-09T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-02-09T17:18:55.000Z",
"value": "VulDB entry last update"
}
],
"title": "Linksys WRT54GL Web Management Interface wlaninfo.htm information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-1405",
"datePublished": "2024-02-10T05:31:03.693Z",
"dateReserved": "2024-02-09T16:13:28.821Z",
"dateUpdated": "2025-05-15T19:38:53.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1406 (GCVE-0-2024-1406)
Vulnerability from cvelistv5
Published
2024-02-10 07:31
Modified
2024-08-29 19:27
Severity ?
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Information Disclosure
Summary
A vulnerability was found in Linksys WRT54GL 4.30.18. It has been declared as problematic. This vulnerability affects unknown code of the file /SysInfo1.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. VDB-253330 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.253330 | vdb-entry | |
| https://vuldb.com/?ctiid.253330 | signature, permissions-required | |
| https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/3 | exploit |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:20.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://vuldb.com/?id.253330"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.253330"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:h:linksys:wrt54gl:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "wrt54gl",
"vendor": "linksys",
"versions": [
{
"status": "affected",
"version": "4.30.18"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1406",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T18:26:27.284876Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T19:27:19.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Web Management Interface"
],
"product": "WRT54GL",
"vendor": "Linksys",
"versions": [
{
"status": "affected",
"version": "4.30.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "leetsun (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Linksys WRT54GL 4.30.18. It has been declared as problematic. This vulnerability affects unknown code of the file /SysInfo1.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. VDB-253330 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In Linksys WRT54GL 4.30.18 wurde eine Schwachstelle ausgemacht. Sie wurde als problematisch eingestuft. Es geht um eine nicht n\u00e4her bekannte Funktion der Datei /SysInfo1.htm der Komponente Web Management Interface. Dank der Manipulation mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-10T07:31:04.055Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.253330"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.253330"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/3"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-02-09T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-02-09T17:18:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "Linksys WRT54GL Web Management Interface SysInfo1.htm information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-1406",
"datePublished": "2024-02-10T07:31:04.055Z",
"dateReserved": "2024-02-09T16:13:34.919Z",
"dateUpdated": "2024-08-29T19:27:19.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43970 (GCVE-0-2022-43970)
Vulnerability from cvelistv5
Published
2023-01-09 00:00
Modified
2025-04-09 14:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Summary
A buffer overflow vulnerability exists in Linksys WRT54GL Wireless-G Broadband Router with firmware <= 4.30.18.006. A stack-based buffer overflow in the Start_EPI function within the httpd binary allows an authenticated attacker with administrator privileges to execute arbitrary commands on the underlying Linux operating system as root. This vulnerablity can be triggered over the network via a malicious POST request to /apply.cgi.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linksys | WRT54GL Wireless-G Broadband Router |
Version: Firmware < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:47:05.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://youtu.be/73-1lhvJPNg"
},
{
"tags": [
"x_transferred"
],
"url": "https://youtu.be/TeWAmZaKQ_w"
},
{
"tags": [
"x_transferred"
],
"url": "https://youtu.be/RfWVYCUBNZ0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-43970",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T14:25:37.571154Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T14:26:11.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WRT54GL Wireless-G Broadband Router",
"vendor": "Linksys",
"versions": [
{
"lessThanOrEqual": "4.30.18.006",
"status": "affected",
"version": "Firmware",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jessie Chick of Trellix ARC"
}
],
"descriptions": [
{
"lang": "en",
"value": "A buffer overflow vulnerability exists in Linksys WRT54GL Wireless-G Broadband Router with firmware \u003c= 4.30.18.006. A stack-based buffer overflow in the Start_EPI function within the httpd binary allows an authenticated attacker with administrator privileges to execute arbitrary commands on the underlying Linux operating system as root. This vulnerablity can be triggered over the network via a malicious POST request to /apply.cgi."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-09T00:00:00.000Z",
"orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"shortName": "trellix"
},
"references": [
{
"url": "https://youtu.be/73-1lhvJPNg"
},
{
"url": "https://youtu.be/TeWAmZaKQ_w"
},
{
"url": "https://youtu.be/RfWVYCUBNZ0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Buffer overflow in Linksys WRT54GL",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
"assignerShortName": "trellix",
"cveId": "CVE-2022-43970",
"datePublished": "2023-01-09T00:00:00.000Z",
"dateReserved": "2022-10-28T00:00:00.000Z",
"dateUpdated": "2025-04-09T14:26:11.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-0228 (GCVE-0-2008-0228)
Vulnerability from cvelistv5
Published
2008-01-10 23:00
Modified
2024-08-07 07:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators.
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/39502 | vdb-entry, x_refsource_XF | |
| http://securityreason.com/securityalert/3534 | third-party-advisory, x_refsource_SREASON | |
| http://secunia.com/advisories/28364 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/archive/1/485853/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/archive/1/486362/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T07:39:34.170Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "linksys-apply-csrf(39502)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39502"
},
{
"name": "3534",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/3534"
},
{
"name": "28364",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28364"
},
{
"name": "20080107 Linksys WRT54 GL - Session riding (CSRF)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/485853/100/0/threaded"
},
{
"name": "20080115 Re: Linksys WRT54 GL - Session riding (CSRF)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/486362/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-01-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "linksys-apply-csrf(39502)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39502"
},
{
"name": "3534",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/3534"
},
{
"name": "28364",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28364"
},
{
"name": "20080107 Linksys WRT54 GL - Session riding (CSRF)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/485853/100/0/threaded"
},
{
"name": "20080115 Re: Linksys WRT54 GL - Session riding (CSRF)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/486362/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-0228",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "linksys-apply-csrf(39502)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39502"
},
{
"name": "3534",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/3534"
},
{
"name": "28364",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28364"
},
{
"name": "20080107 Linksys WRT54 GL - Session riding (CSRF)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/485853/100/0/threaded"
},
{
"name": "20080115 Re: Linksys WRT54 GL - Session riding (CSRF)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/486362/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-0228",
"datePublished": "2008-01-10T23:00:00",
"dateReserved": "2008-01-10T00:00:00",
"dateUpdated": "2024-08-07T07:39:34.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-3341 (GCVE-0-2009-3341)
Vulnerability from cvelistv5
Published
2009-09-24 16:00
Modified
2024-09-17 03:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Buffer overflow on the Linksys WRT54GL wireless router allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.10 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securitytracker.com/id?1022827 | vdb-entry, x_refsource_SECTRACK | |
| http://secunia.com/advisories/36571 | third-party-advisory, x_refsource_SECUNIA | |
| http://intevydis.com/vd-list.shtml | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:22:24.321Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1022827",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1022827"
},
{
"name": "36571",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36571"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://intevydis.com/vd-list.shtml"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow on the Linksys WRT54GL wireless router allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.10 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-09-24T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "1022827",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1022827"
},
{
"name": "36571",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36571"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://intevydis.com/vd-list.shtml"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3341",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Buffer overflow on the Linksys WRT54GL wireless router allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.10 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1022827",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1022827"
},
{
"name": "36571",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36571"
},
{
"name": "http://intevydis.com/vd-list.shtml",
"refsource": "MISC",
"url": "http://intevydis.com/vd-list.shtml"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3341",
"datePublished": "2009-09-24T16:00:00Z",
"dateReserved": "2009-09-24T00:00:00Z",
"dateUpdated": "2024-09-17T03:03:10.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
var-200801-0206
Vulnerability from variot
Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators. WRT54GL is prone to a cross-site request forgery vulnerability. Linksys WRT54G is a wireless router of Cisco, which is a wireless routing device that combines the functions of wireless access point, switch and router. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Microsoft Word Malformed FIB Arbitrary Free Vulnerability
- Advisory Information
Title: Microsoft Word Malformed FIB Arbitrary Free Vulnerability Advisory ID: CORE-2008-0228 Advisory URL: http://www.coresecurity.com/content/word-arbitrary-free Date published: 2008-12-10 Date of last update: 2008-12-10 Vendors contacted: Microsoft Release mode: Coordinated release
- Vulnerability Information
Class: Arbitrary free Remotely Exploitable: Yes (client-side) Locally Exploitable: No Bugtraq ID: 29633 CVE Name: CVE-2008-4024
- Vulnerability Description
A vulnerability has been found in the way that Microsoft Word handles specially crafted Word files. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed record value. An attacker who successfully exploited this vulnerability could execute arbitrary code with the privileges of the user running the MS Word application.
More specifically, a Word file with a specially crafted 'lcbPlcfBkfSdt' field value (offset '0x4f0') inside the File Information Block (FIB) can corrupt the heap structure on vulnerable Word versions and enable an arbitrary free with controlled values.
- Vulnerable packages
. Microsoft Word 2000 Service Pack 3 . Microsoft Word 2002 Service Pack 3
- Non-vulnerable packages
. Microsoft Word 2003 Service Pack 3 . Microsoft Word 2007
- Vendor Information, Solutions and Workarounds
Microsoft has released patches for this vulnerability. For more information refer to the Microsoft Security Bulletin MS08-072 released on December 9th, 2008, available at http://www.microsoft.com/technet/security/Bulletin/ms08-072.mspx
Microsoft recommends that customers apply the update immediately.
- Credits
This vulnerability was discovered and researched by Ricardo Narvaja, from CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies.
- Technical Description / Proof of Concept Code
A vulnerability has been found in the way that Microsoft Word handles specially crafted Word files. A Word file with a specially crafted 'lcbPlcfBkfSdt' field value (offset '0x4f0') inside the File Information Block (FIB) can corrupt the heap structure on vulnerable Word versions, and enable an arbitrary free with controlled values. If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems with the privileges of the user running the MS Word application.
To construct a PoC file that demonstrates this bug it is sufficient to use Microsoft Word 2007 to generate a Word 97-2003 compatible '.doc' file, and then change the byte at offset 0x4f0, this is the 'lcbPlcfBkfSdt' field value located inside the File Information Block (FIB). By simply changing this byte from 0 to 1, we obtain a file that will make vulnerable Word versions crash when closing the file. This can be improved to make Word crash when opening the file by changing some other values. This fact was detected using automated fuzzing.
In location 0x2b80, there is an arbitrary pointer that can be controlled to choose the address that will be used as parameter of a call to the free function '__MsoPvFree'. If the 'lcbPlcfBkfSdt' value is 0, modifying this pointer has no effect. But if this value is 1, then modifying this arbitrary pointer will cause the free function to close the program.
The execution of '__MsoPvFree' is reached with two controlled values, the pointer that was directly changed in the .doc file and the contents of the memory position that it points to. That is, both of them are controlled, one directly and the other in an indirect manner, we can thus fully control the effect of the free function.
The exploitation of this bug depends on the construction of a file such that different arbitrary blocks are allocated when closing the file before 'free' is called. However this scenario is complex due to the limitations of the '__MsoPvFree' API, including checks that make the exploitation difficult.
The vendor's analysis indicates that the root cause of this vulnerability is the processing of a 'PlfLfo' structure that is read in from the file. It contains an array of 'Lfo' objects. If any of those 'Lfo' objects has a 'clfolvl' value of 0 and a 'plfolvl' (the previous 4 bytes) value that is non-zero, Word will attempt to free memory at 'plfolvl'. This is because 'plfolvl' is supposed to be overwritten with a valid pointer to allocated memory, but if 'clfolvl' is 0 this initialization step is skipped. Later on cleanup code will check if 'plfolvl' has a non-zero value and if so, attempt to free the memory chunk it points to.
A Proof of Concept '.doc' file which makes Word 2000 and Word 2002 crash ('WINWORD.EXE', main thread, module 'MS09') is available at [2]. An illustrated explanation can be downloaded from Core's website (see reference [3]).
- Report Timeline
. 2008-03-13: Core notifies the vendor of the vulnerability and sends the advisory draft. The advisory's publication is preliminary set to April 14th, 2008. 2008-03-13: Vendor acknowledges notification. 2008-03-31: Core requests information concerning Microsoft's plans to fix the vulnerability (no reply received). 2008-04-16: Core requests again information concerning Microsoft's schedule to produce a fix. The advisory publication is rescheduled for May 12th, 2008. 2008-04-25: Vendor informs that they are wrapping up the investigation and threat model analysis and that fixes will not be included in the Word Security Bulletin of May. Vendor estimates that it will take a few months to produce and test a fix for the vulnerability. Vendor promises an update on May 23th. 2008-04-25: Core sends additional information with low level details of the vulnerability. 2008-04-28: Core requests the vendor details about the schedule for the vulnerability fix in order to coordinate the publication of the advisory (no reply received). 2008-05-28: Core requests again details about the vulnerability fix schedule (no reply received). 2008-06-02: Core requests again details about the vulnerability fix schedule, root cause of the problem and confirmation of vulnerable versions. Core reschedules the publication of the advisory for June 11th, 2008 as "user release" (no reply received). 2008-06-13: In another attempt to coordinate the publication of the advisory with the release of a fixed version, Core reschedules publication for the second Wednesday of July, under "user release" mode. The latest advisory version is sent to the vendor. 2008-06-17: Vendor apologies for having mistakenly marked this issue as "no action until 6/23". Vendor informs that they are working on a fix plan and promises more information to be sent on Monday June 23rd. 2008-06-27: Core requests the vendor the expected details on the vulnerability fix schedule. 2008-07-03: Vendor thanks Core for holding on the publication of this vulnerability, and informs that the issue described in advisory CORE-2008-0228 is marked to be addressed in October 2008. It also informs that they don't have reports of the vulnerability being exploited in the wild. 2008-07-08: Vendor informs that they have binaries available to pre-test the potential fixes. 2008-07-08: Core asks for the patches to pre-test and informs the vendor that publication date of the advisory will be revisited. 2008-07-23: Core sends the vendor an updated version of the advisory and PoC files. 2008-08-26: Core requests the vendor a more precise date for the release of fixes in October. 2008-08-29: Vendor informs that they are tentatively targeting October 14th, and that patches will be sent to Core for inspection the following week. 2008-08-29: Core acknowledges reception of the previous mail. 2008-09-30: Vendor informs that the planned release of the fix for this vulnerability has slipped out to December 11th. Vendor supplies Core a draft of their own security bulletin and a copy of the Office 2000 update fixing the bug. 2008-10-01: Core confirms the vendor that after private discussions the advisory will be published in December 9th (second Tuesday of the month). 2008-10-01: Vendor confirms that the release date of fixes is December 9th and supplies Core with a copy of their own security bulletin and a copy of the Office XP update fixing the bug. 2008-10-20: Core confirms that it intends to publish the advisory CORE-2008-0228 on December 9th as previously established. 2008-11-11: Vendor confirms it is still on track to publish this fix for December 9th. 2008-11-11: Core informs the vendor that the patch was tested and works on Office XP (i.e. the crash avoided) and confirms that it intends to publish advisory CORE-2008-0228 on December 9th as previously established by both parties. 2008-12-04: Core sends the final draft of the advisory to the vendor. 2008-12-09: Microsoft Security Bulletin MS08-072 is released. 2008-12-10: Advisory CORE-2008-0228 is published.
- References
[1] Word 97-2007 Binary File Format (*.doc) Specification http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/Word97-2007BinaryFileFormat(doc)Specification.pdf [2] Microsoft Word Arbitrary Free Vulnerability PoC http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word-advisory-POC.doc [3] Microsoft Word Arbitrary Free Vulnerability Explained http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word.pdf
- About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.
- About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
- Disclaimer
The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkk/32wACgkQyNibggitWa1twACfR4nlubY9KyYIN7ubBUnXlnm6 QgEAnRl3fbRhADlci+pJwDQGjrtj2bxs =hR/7 -----END PGP SIGNATURE----- .
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched.
Download and test it today: https://psi.secunia.com/
Read more about this new version: https://psi.secunia.com/?page=changelog
TITLE: Linksys WRT54GL Cross-Site Request Forgery
SECUNIA ADVISORY ID: SA28364
VERIFY ADVISORY: http://secunia.com/advisories/28364/
CRITICAL: Less critical
IMPACT: Cross Site Scripting
WHERE:
From remote
OPERATING SYSTEM: Linksys WRT54GL 4.x http://secunia.com/product/17134/
DESCRIPTION: Tomaz Bratusa has reported a vulnerability in Linksys WRT54GL, which can be exploited by malicious people to conduct cross-site request forgery attacks. This can be exploited to e.g. disable the firewall by enticing a logged-in administrator to visit a malicious site.
The vulnerability is reported in firmware version 4.30.9. Other versions may also be affected.
SOLUTION: The vendor is currently working on a fix.
Do not browse untrusted websites or follow untrusted links while logged on to the application.
PROVIDED AND/OR DISCOVERED BY: Tomaz Bratusa, Team Intell
ORIGINAL ADVISORY: TISA-2008-01 (via Bugtraq): http://archives.neohapsis.com/archives/bugtraq/2008-01/0063.html
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "wrt54gl",
"scope": "eq",
"trust": 1.9,
"vendor": "linksys",
"version": "4.30.9"
},
{
"_id": null,
"model": "wrt54gl",
"scope": "eq",
"trust": 0.8,
"vendor": "cisco linksys",
"version": "4.30.9"
}
],
"sources": [
{
"db": "BID",
"id": "85181"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156"
},
{
"db": "NVD",
"id": "CVE-2008-0228"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:linksys:wrt54gl",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
}
]
},
"credits": {
"_id": null,
"data": "Unknown",
"sources": [
{
"db": "BID",
"id": "85181"
}
],
"trust": 0.3
},
"cve": "CVE-2008-0228",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "CVE-2008-0228",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-30353",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2008-0228",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2008-0228",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200801-156",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-30353",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2008-0228",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-30353"
},
{
"db": "VULMON",
"id": "CVE-2008-0228"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156"
},
{
"db": "NVD",
"id": "CVE-2008-0228"
}
]
},
"description": {
"_id": null,
"data": "Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators. WRT54GL is prone to a cross-site request forgery vulnerability. Linksys WRT54G is a wireless router of Cisco, which is a wireless routing device that combines the functions of wireless access point, switch and router. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\n Microsoft Word Malformed FIB Arbitrary Free Vulnerability\n\n\n\n1. *Advisory Information*\n\nTitle: Microsoft Word Malformed FIB Arbitrary Free Vulnerability\nAdvisory ID: CORE-2008-0228\nAdvisory URL: http://www.coresecurity.com/content/word-arbitrary-free\nDate published: 2008-12-10\nDate of last update: 2008-12-10\nVendors contacted: Microsoft\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Arbitrary free\nRemotely Exploitable: Yes (client-side)\nLocally Exploitable: No\nBugtraq ID: 29633\nCVE Name: CVE-2008-4024\n\n\n3. *Vulnerability Description*\n\nA vulnerability has been found in the way that Microsoft Word handles\nspecially crafted Word files. The vulnerability could allow remote code\nexecution if a user opens a specially crafted Word file that includes a\nmalformed record value. An attacker who successfully exploited this\nvulnerability could execute arbitrary code with the privileges of the\nuser running the MS Word application. \n\nMore specifically, a Word file with a specially crafted \u0027lcbPlcfBkfSdt\u0027\nfield value (offset \u00270x4f0\u0027) inside the File Information Block (FIB) can\ncorrupt the heap structure on vulnerable Word versions and enable an\narbitrary free with controlled values. \n\n\n4. *Vulnerable packages*\n\n . Microsoft Word 2000 Service Pack 3\n . Microsoft Word 2002 Service Pack 3\n\n\n5. *Non-vulnerable packages*\n\n . Microsoft Word 2003 Service Pack 3\n . Microsoft Word 2007\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nMicrosoft has released patches for this vulnerability. For more\ninformation refer to the Microsoft Security Bulletin MS08-072 released\non December 9th, 2008, available at\nhttp://www.microsoft.com/technet/security/Bulletin/ms08-072.mspx\n\nMicrosoft recommends that customers apply the update immediately. \n\n\n7. *Credits*\n\nThis vulnerability was discovered and researched by Ricardo Narvaja,\nfrom CORE IMPACT\u0027s Exploit Writing Team (EWT), Core Security Technologies. \n\n\n8. *Technical Description / Proof of Concept Code*\n\nA vulnerability has been found in the way that Microsoft Word handles\nspecially crafted Word files. A Word file with a specially crafted\n\u0027lcbPlcfBkfSdt\u0027 field value (offset \u00270x4f0\u0027) inside the File Information\nBlock (FIB) can corrupt the heap structure on vulnerable Word versions,\nand enable an arbitrary free with controlled values. If successfully\nexploited, this vulnerability could allow an attacker to execute\narbitrary code on vulnerable systems with the privileges of the user\nrunning the MS Word application. \n\nTo construct a PoC file that demonstrates this bug it is sufficient to\nuse Microsoft Word 2007 to generate a Word 97-2003 compatible \u0027.doc\u0027\nfile, and then change the byte at offset 0x4f0, this is the\n\u0027lcbPlcfBkfSdt\u0027 field value located inside the File Information Block\n(FIB). By simply changing this byte from 0 to 1, we obtain a file that\nwill make vulnerable Word versions crash when closing the file. This can\nbe improved to make Word crash when opening the file by changing some\nother values. This fact was detected using automated fuzzing. \n\nIn location 0x2b80, there is an arbitrary pointer that can be controlled\nto choose the address that will be used as parameter of a call to the\nfree function \u0027__MsoPvFree\u0027. If the \u0027lcbPlcfBkfSdt\u0027 value is 0,\nmodifying this pointer has no effect. But if this value is 1, then\nmodifying this arbitrary pointer will cause the free function to close\nthe program. \n\nThe execution of \u0027__MsoPvFree\u0027 is reached with two controlled values,\nthe pointer that was directly changed in the .doc file and the contents\nof the memory position that it points to. That is, both of them are\ncontrolled, one directly and the other in an indirect manner, we can\nthus fully control the effect of the free function. \n\nThe exploitation of this bug depends on the construction of a file such\nthat different arbitrary blocks are allocated when closing the file\nbefore \u0027free\u0027 is called. However this scenario is complex due to the\nlimitations of the \u0027__MsoPvFree\u0027 API, including checks that make the\nexploitation difficult. \n\nThe vendor\u0027s analysis indicates that the root cause of this\nvulnerability is the processing of a \u0027PlfLfo\u0027 structure that is read in\nfrom the file. It contains an array of \u0027Lfo\u0027 objects. If any of those\n\u0027Lfo\u0027 objects has a \u0027clfolvl\u0027 value of 0 and a \u0027plfolvl\u0027 (the previous 4\nbytes) value that is non-zero, Word will attempt to free memory at\n\u0027plfolvl\u0027. This is because \u0027plfolvl\u0027 is supposed to be overwritten with\na valid pointer to allocated memory, but if \u0027clfolvl\u0027 is 0 this\ninitialization step is skipped. Later on cleanup code will check if\n\u0027plfolvl\u0027 has a non-zero value and if so, attempt to free the memory\nchunk it points to. \n\nA Proof of Concept \u0027.doc\u0027 file which makes Word 2000 and Word 2002 crash\n(\u0027WINWORD.EXE\u0027, main thread, module \u0027MS09\u0027) is available at [2]. An\nillustrated explanation can be downloaded from Core\u0027s website (see\nreference [3]). \n\n\n9. *Report Timeline*\n\n. 2008-03-13: Core notifies the vendor of the vulnerability and sends\nthe advisory draft. The advisory\u0027s publication is preliminary set to\nApril 14th, 2008. 2008-03-13: Vendor acknowledges notification. 2008-03-31: Core requests information concerning Microsoft\u0027s plans to\nfix the vulnerability (no reply received). 2008-04-16: Core requests again information concerning Microsoft\u0027s\nschedule to produce a fix. The advisory publication is rescheduled for\nMay 12th, 2008. 2008-04-25: Vendor informs that they are wrapping up the investigation\nand threat model analysis and that fixes will not be included in the\nWord Security Bulletin of May. Vendor estimates that it will take a few\nmonths to produce and test a fix for the vulnerability. Vendor promises\nan update on May 23th. 2008-04-25: Core sends additional information with low level details\nof the vulnerability. 2008-04-28: Core requests the vendor details about the schedule for\nthe vulnerability fix in order to coordinate the publication of the\nadvisory (no reply received). 2008-05-28: Core requests again details about the vulnerability fix\nschedule (no reply received). 2008-06-02: Core requests again details about the vulnerability fix\nschedule, root cause of the problem and confirmation of vulnerable\nversions. Core reschedules the publication of the advisory for June\n11th, 2008 as \"user release\" (no reply received). 2008-06-13: In another attempt to coordinate the publication of the\nadvisory with the release of a fixed version, Core reschedules\npublication for the second Wednesday of July, under \"user release\" mode. \nThe latest advisory version is sent to the vendor. 2008-06-17: Vendor apologies for having mistakenly marked this issue\nas \"no action until 6/23\". Vendor informs that they are working on a fix\nplan and promises more information to be sent on Monday June 23rd. 2008-06-27: Core requests the vendor the expected details on the\nvulnerability fix schedule. 2008-07-03: Vendor thanks Core for holding on the publication of this\nvulnerability, and informs that the issue described in advisory\nCORE-2008-0228 is marked to be addressed in October 2008. It also\ninforms that they don\u0027t have reports of the vulnerability being\nexploited in the wild. 2008-07-08: Vendor informs that they have binaries available to\npre-test the potential fixes. 2008-07-08: Core asks for the patches to pre-test and informs the\nvendor that publication date of the advisory will be revisited. 2008-07-23: Core sends the vendor an updated version of the advisory\nand PoC files. 2008-08-26: Core requests the vendor a more precise date for the\nrelease of fixes in October. 2008-08-29: Vendor informs that they are tentatively targeting October\n14th, and that patches will be sent to Core for inspection the following\nweek. 2008-08-29: Core acknowledges reception of the previous mail. 2008-09-30: Vendor informs that the planned release of the fix for\nthis vulnerability has slipped out to December 11th. Vendor supplies\nCore a draft of their own security bulletin and a copy of the Office\n2000 update fixing the bug. 2008-10-01: Core confirms the vendor that after private discussions\nthe advisory will be published in December 9th (second Tuesday of the\nmonth). 2008-10-01: Vendor confirms that the release date of fixes is December\n9th and supplies Core with a copy of their own security bulletin and a\ncopy of the Office XP update fixing the bug. 2008-10-20: Core confirms that it intends to publish the advisory\nCORE-2008-0228 on December 9th as previously established. 2008-11-11: Vendor confirms it is still on track to publish this fix\nfor December 9th. 2008-11-11: Core informs the vendor that the patch was tested and\nworks on Office XP (i.e. the crash avoided) and confirms that it intends\nto publish advisory CORE-2008-0228 on December 9th as previously\nestablished by both parties. 2008-12-04: Core sends the final draft of the advisory to the vendor. 2008-12-09: Microsoft Security Bulletin MS08-072 is released. 2008-12-10: Advisory CORE-2008-0228 is published. \n\n\n10. *References*\n\n[1] Word 97-2007 Binary File Format (*.doc) Specification\nhttp://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/Word97-2007BinaryFileFormat(doc)Specification.pdf\n[2] Microsoft Word Arbitrary Free Vulnerability PoC\nhttp://www.coresecurity.com/files/attachments/CORE-2008-0228-Word-advisory-POC.doc\n[3] Microsoft Word Arbitrary Free Vulnerability Explained\nhttp://www.coresecurity.com/files/attachments/CORE-2008-0228-Word.pdf\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs. \n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company\u0027s flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com. \n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2008 Core Security\nTechnologies and (c) 2008 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given. \n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.8 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niEYEARECAAYFAkk/32wACgkQyNibggitWa1twACfR4nlubY9KyYIN7ubBUnXlnm6\nQgEAnRl3fbRhADlci+pJwDQGjrtj2bxs\n=hR/7\n-----END PGP SIGNATURE-----\n. \n\n----------------------------------------------------------------------\n\nA new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI\nhas been released. The new version includes many new and advanced\nfeatures, which makes it even easier to stay patched. \n\nDownload and test it today:\nhttps://psi.secunia.com/\n\nRead more about this new version:\nhttps://psi.secunia.com/?page=changelog\n\n----------------------------------------------------------------------\n\nTITLE:\nLinksys WRT54GL Cross-Site Request Forgery\n\nSECUNIA ADVISORY ID:\nSA28364\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/28364/\n\nCRITICAL:\nLess critical\n\nIMPACT:\nCross Site Scripting\n\nWHERE:\n\u003eFrom remote\n\nOPERATING SYSTEM:\nLinksys WRT54GL 4.x\nhttp://secunia.com/product/17134/\n\nDESCRIPTION:\nTomaz Bratusa has reported a vulnerability in Linksys WRT54GL, which\ncan be exploited by malicious people to conduct cross-site request\nforgery attacks. This can be exploited to e.g. \ndisable the firewall by enticing a logged-in administrator to visit a\nmalicious site. \n\nThe vulnerability is reported in firmware version 4.30.9. Other\nversions may also be affected. \n\nSOLUTION:\nThe vendor is currently working on a fix. \n\nDo not browse untrusted websites or follow untrusted links while\nlogged on to the application. \n\nPROVIDED AND/OR DISCOVERED BY:\nTomaz Bratusa, Team Intell\n\nORIGINAL ADVISORY:\nTISA-2008-01 (via Bugtraq):\nhttp://archives.neohapsis.com/archives/bugtraq/2008-01/0063.html\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-0228"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
},
{
"db": "BID",
"id": "85181"
},
{
"db": "VULHUB",
"id": "VHN-30353"
},
{
"db": "VULMON",
"id": "CVE-2008-0228"
},
{
"db": "PACKETSTORM",
"id": "72847"
},
{
"db": "PACKETSTORM",
"id": "62461"
}
],
"trust": 2.25
},
"exploit_availability": {
"_id": null,
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-30353",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-30353"
}
]
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2008-0228",
"trust": 3.0
},
{
"db": "SREASON",
"id": "3534",
"trust": 2.1
},
{
"db": "SECUNIA",
"id": "28364",
"trust": 1.9
},
{
"db": "XF",
"id": "39502",
"trust": 0.9
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156",
"trust": 0.7
},
{
"db": "BUGTRAQ",
"id": "20080107 LINKSYS WRT54 GL - SESSION RIDING (CSRF)",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20080115 RE: LINKSYS WRT54 GL - SESSION RIDING (CSRF)",
"trust": 0.6
},
{
"db": "BID",
"id": "85181",
"trust": 0.5
},
{
"db": "PACKETSTORM",
"id": "72847",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-30353",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2008-0228",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "62461",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-30353"
},
{
"db": "VULMON",
"id": "CVE-2008-0228"
},
{
"db": "BID",
"id": "85181"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
},
{
"db": "PACKETSTORM",
"id": "72847"
},
{
"db": "PACKETSTORM",
"id": "62461"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156"
},
{
"db": "NVD",
"id": "CVE-2008-0228"
}
]
},
"id": "VAR-200801-0206",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-30353"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T21:48:44.391000Z",
"patch": {
"_id": null,
"data": [
{
"title": "Linksys",
"trust": 0.8,
"url": "http://home.cisco.com/en-apac/home"
},
{
"title": "reverse-engineering-toolkit",
"trust": 0.1,
"url": "https://github.com/geeksniper/reverse-engineering-toolkit "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2008-0228"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-352",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-30353"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
},
{
"db": "NVD",
"id": "CVE-2008-0228"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 2.1,
"url": "http://securityreason.com/securityalert/3534"
},
{
"trust": 1.8,
"url": "http://secunia.com/advisories/28364"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/archive/1/485853/100/0/threaded"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/archive/1/486362/100/0/threaded"
},
{
"trust": 1.2,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39502"
},
{
"trust": 0.9,
"url": "http://xforce.iss.net/xforce/xfdb/39502"
},
{
"trust": 0.9,
"url": "http://www.securityfocus.com/archive/1/archive/1/485853/100/0/threaded"
},
{
"trust": 0.9,
"url": "http://www.securityfocus.com/archive/1/archive/1/486362/100/0/threaded"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0228"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-0228"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/352.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.securityfocus.com/bid/85181"
},
{
"trust": 0.1,
"url": "https://github.com/geeksniper/reverse-engineering-toolkit"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-0228"
},
{
"trust": 0.1,
"url": "http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "http://enigmail.mozdev.org"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core-2008-0228-word-advisory-poc.doc"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/corelabs."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "http://download.microsoft.com/download/0/b/e/0be8bdd7-e5e8-422a-abfd-4342ed7ad886/word97-2007binaryfileformat(doc)specification.pdf"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core-2008-0228-word.pdf"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/corelabs/"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/content/word-arbitrary-free"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-01/0063.html"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/?page=changelog"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/28364/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/17134/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-30353"
},
{
"db": "VULMON",
"id": "CVE-2008-0228"
},
{
"db": "BID",
"id": "85181"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
},
{
"db": "PACKETSTORM",
"id": "72847"
},
{
"db": "PACKETSTORM",
"id": "62461"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156"
},
{
"db": "NVD",
"id": "CVE-2008-0228"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "VULHUB",
"id": "VHN-30353",
"ident": null
},
{
"db": "VULMON",
"id": "CVE-2008-0228",
"ident": null
},
{
"db": "BID",
"id": "85181",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2008-003932",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "72847",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "62461",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2008-0228",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2008-01-10T00:00:00",
"db": "VULHUB",
"id": "VHN-30353",
"ident": null
},
{
"date": "2008-01-10T00:00:00",
"db": "VULMON",
"id": "CVE-2008-0228",
"ident": null
},
{
"date": "2008-01-10T00:00:00",
"db": "BID",
"id": "85181",
"ident": null
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-003932",
"ident": null
},
{
"date": "2008-12-10T18:55:02",
"db": "PACKETSTORM",
"id": "72847",
"ident": null
},
{
"date": "2008-01-10T08:17:01",
"db": "PACKETSTORM",
"id": "62461",
"ident": null
},
{
"date": "2008-01-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200801-156",
"ident": null
},
{
"date": "2008-01-10T23:46:00",
"db": "NVD",
"id": "CVE-2008-0228",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2018-10-15T00:00:00",
"db": "VULHUB",
"id": "VHN-30353",
"ident": null
},
{
"date": "2018-10-15T00:00:00",
"db": "VULMON",
"id": "CVE-2008-0228",
"ident": null
},
{
"date": "2008-01-10T00:00:00",
"db": "BID",
"id": "85181",
"ident": null
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-003932",
"ident": null
},
{
"date": "2008-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200801-156",
"ident": null
},
{
"date": "2024-11-21T00:41:27.217000",
"db": "NVD",
"id": "CVE-2008-0228",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "72847"
},
{
"db": "CNNVD",
"id": "CNNVD-200801-156"
}
],
"trust": 0.7
},
"title": {
"_id": null,
"data": "Linksys WRT54GL Wireless-G Broadband Router Vulnerable to cross-site request forgery",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-003932"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "cross-site request forgery",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200801-156"
}
],
"trust": 0.6
}
}
var-200909-0134
Vulnerability from variot
Buffer overflow on the Linksys WRT54GL wireless router allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.10 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed attempts will likely cause a denial-of-service condition. WRT54GL is prone to a remote security vulnerability. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability intelligence source on the market.
Implement it through Secunia.
For more information visit: http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com
TITLE: Linksys WRT54GL Unspecified Buffer Overflow Vulnerability
SECUNIA ADVISORY ID: SA36571
VERIFY ADVISORY: http://secunia.com/advisories/36571/
DESCRIPTION: A vulnerability has been reported in Linksys WRT54GL, which can be exploited by malicious people to compromise a vulnerable device.
The vulnerability is caused due to an unspecified error and can be exploited to cause a buffer overflow. No further information is currently available.
SOLUTION: Due to the very limited available information, it is not possible to suggest an effective workaround.
PROVIDED AND/OR DISCOVERED BY: Reportedly a module for VulnDisco Pack.
ORIGINAL ADVISORY: http://intevydis.com/vd-list.shtml
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200909-0134",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "wrt54gl",
"scope": "eq",
"trust": 1.0,
"vendor": "linksys",
"version": "*"
},
{
"model": "wrt54gl",
"scope": null,
"trust": 0.8,
"vendor": "cisco linksys",
"version": null
},
{
"model": "wrt54gl",
"scope": "eq",
"trust": 0.6,
"vendor": "linksys",
"version": "0"
},
{
"model": "wrt54gl",
"scope": null,
"trust": 0.6,
"vendor": "linksys",
"version": null
}
],
"sources": [
{
"db": "BID",
"id": "82342"
},
{
"db": "BID",
"id": "87522"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004975"
},
{
"db": "CNNVD",
"id": "CNNVD-200909-453"
},
{
"db": "NVD",
"id": "CVE-2009-3341"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:linksys:wrt54gl",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-004975"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Unknown",
"sources": [
{
"db": "BID",
"id": "82342"
},
{
"db": "BID",
"id": "87522"
}
],
"trust": 0.6
},
"cve": "CVE-2009-3341",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CVE-2009-3341",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-40787",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2009-3341",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2009-3341",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200909-453",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-40787",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-40787"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004975"
},
{
"db": "CNNVD",
"id": "CNNVD-200909-453"
},
{
"db": "NVD",
"id": "CVE-2009-3341"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Buffer overflow on the Linksys WRT54GL wireless router allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.10 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. \nAn attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed attempts will likely cause a denial-of-service condition. WRT54GL is prone to a remote security vulnerability. ----------------------------------------------------------------------\n\nDo you have VARM strategy implemented?\n\n(Vulnerability Assessment Remediation Management) \n\nIf not, then implement it through the most reliable vulnerability\nintelligence source on the market. \n\nImplement it through Secunia. \n\nFor more information visit:\nhttp://secunia.com/advisories/business_solutions/\n\nAlternatively request a call from a Secunia representative today to\ndiscuss how we can help you with our capabilities contact us at:\nsales@secunia.com\n\n----------------------------------------------------------------------\n\nTITLE:\nLinksys WRT54GL Unspecified Buffer Overflow Vulnerability\n\nSECUNIA ADVISORY ID:\nSA36571\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/36571/\n\nDESCRIPTION:\nA vulnerability has been reported in Linksys WRT54GL, which can be\nexploited by malicious people to compromise a vulnerable device. \n\nThe vulnerability is caused due to an unspecified error and can be\nexploited to cause a buffer overflow. No further information is\ncurrently available. \n\nSOLUTION:\nDue to the very limited available information, it is not possible to\nsuggest an effective workaround. \n\nPROVIDED AND/OR DISCOVERED BY:\nReportedly a module for VulnDisco Pack. \n\nORIGINAL ADVISORY:\nhttp://intevydis.com/vd-list.shtml\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2009-3341"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004975"
},
{
"db": "BID",
"id": "82342"
},
{
"db": "BID",
"id": "87522"
},
{
"db": "VULHUB",
"id": "VHN-40787"
},
{
"db": "PACKETSTORM",
"id": "80968"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2009-3341",
"trust": 3.1
},
{
"db": "SECTRACK",
"id": "1022827",
"trust": 2.3
},
{
"db": "SECUNIA",
"id": "36571",
"trust": 1.8
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004975",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200909-453",
"trust": 0.7
},
{
"db": "BID",
"id": "87522",
"trust": 0.4
},
{
"db": "BID",
"id": "82342",
"trust": 0.4
},
{
"db": "VULHUB",
"id": "VHN-40787",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "80968",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-40787"
},
{
"db": "BID",
"id": "82342"
},
{
"db": "BID",
"id": "87522"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004975"
},
{
"db": "PACKETSTORM",
"id": "80968"
},
{
"db": "CNNVD",
"id": "CNNVD-200909-453"
},
{
"db": "NVD",
"id": "CVE-2009-3341"
}
]
},
"id": "VAR-200909-0134",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-40787"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T23:13:05.998000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Linksys",
"trust": 0.8,
"url": "http://home.cisco.com/en-apac/home"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-004975"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-40787"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004975"
},
{
"db": "NVD",
"id": "CVE-2009-3341"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://intevydis.com/vd-list.shtml"
},
{
"trust": 2.3,
"url": "http://www.securitytracker.com/id?1022827"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/36571"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-3341"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-3341"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/36571/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/business_solutions/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-40787"
},
{
"db": "BID",
"id": "82342"
},
{
"db": "BID",
"id": "87522"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004975"
},
{
"db": "PACKETSTORM",
"id": "80968"
},
{
"db": "CNNVD",
"id": "CNNVD-200909-453"
},
{
"db": "NVD",
"id": "CVE-2009-3341"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-40787"
},
{
"db": "BID",
"id": "82342"
},
{
"db": "BID",
"id": "87522"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-004975"
},
{
"db": "PACKETSTORM",
"id": "80968"
},
{
"db": "CNNVD",
"id": "CNNVD-200909-453"
},
{
"db": "NVD",
"id": "CVE-2009-3341"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-09-24T00:00:00",
"db": "VULHUB",
"id": "VHN-40787"
},
{
"date": "2009-09-24T00:00:00",
"db": "BID",
"id": "82342"
},
{
"date": "2009-09-24T00:00:00",
"db": "BID",
"id": "87522"
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-004975"
},
{
"date": "2009-09-03T05:18:59",
"db": "PACKETSTORM",
"id": "80968"
},
{
"date": "2009-09-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200909-453"
},
{
"date": "2009-09-24T16:30:01.733000",
"db": "NVD",
"id": "CVE-2009-3341"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-09-28T00:00:00",
"db": "VULHUB",
"id": "VHN-40787"
},
{
"date": "2009-09-24T00:00:00",
"db": "BID",
"id": "82342"
},
{
"date": "2009-09-24T00:00:00",
"db": "BID",
"id": "87522"
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-004975"
},
{
"date": "2009-09-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200909-453"
},
{
"date": "2024-11-21T01:07:07.903000",
"db": "NVD",
"id": "CVE-2009-3341"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "82342"
},
{
"db": "BID",
"id": "87522"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Linksys WRT54GL Wireless router buffer overflow vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-004975"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Failure to Handle Exceptional Conditions",
"sources": [
{
"db": "BID",
"id": "82342"
},
{
"db": "BID",
"id": "87522"
}
],
"trust": 0.6
}
}