GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
The vulnerability occurs in the handling of the 'module' parameter passed to the M.get_system_log function. Input data is not properly validated or sanitized before being passed to the system command interpreter. An attacker can craft a malicious payload containing additional system commands that will be executed in the context of the device.
An attacker can execute arbitrary system commands on the vulnerable device, leading to complete compromise of confidentiality, integrity, and availability of the system β including potential takeover of full control over the router.
Apply patches available from the manufacturer according to the references. It is recommended to restrict access to the device management interface only to trusted networks and disable remote access to the admin panel if not required.
GL-iNet GL-AR300M16 Firmware version 4.3.11
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGl Inet Ar300m16
HWGl-Inetwszystkie wersjeGl Inet Ar300m16 Firmware
OSGl-Inet4.3.11
Related vulnerabilities
Command injection w GL-iNet GL-AR300M16 via set_config
Command injection w GL-iNet GL-AR300M16 β funkcja set_upgrade
Command injection w GL-iNet GL-AR300M16 β wykonanie dowolnych poleceΕ
RCE w firmware GL-iNet β obejΕcie mechanizmu logowania
GL-iNet: RCE i path traversal w /cgi-bin/glc bez uwierzytelnienia