Azmi Alsarayrah

**Name of the Vulnerable Software and Affected Versions** thingino-firmware versions prior to firmware-2026-03-16 **Description** The software contains an unauthenticated operating system command injection flaw within the WiFi captive portal CGI script. This allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the `eval` function within the `parse query()` and `parse post()` functions to achieve remote code execution and perform privileged configuration changes. These changes include resetting the root password and modifying SSH `authorized keys`, potentially leading to full and persistent device compromise. **Recommendations** Update thingino-firmware to a version later than firmware-2026-03-16.

**Name of the Vulnerable Software and Affected Versions** thingino-firmware versions prior to commit e3f6a41 wpDiscuz versions prior to 7.6.47 **Description** thingino-firmware contains an unauthenticated operating system command injection issue in the WiFi captive portal CGI script. This allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the `eval` function in the `parse query()` and `parse post()` functions to achieve remote code execution and perform privileged configuration changes, including root password reset and SSH authorized keys modification, resulting in full persistent device compromise. wpDiscuz contains a cross-site scripting issue in the `customCss` field. Administrators can inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads to execute arbitrary JavaScript in user browsers. **Recommendations** thingino-firmware versions prior to commit e3f6a41: Update to commit e3f6a41 or later. wpDiscuz versions prior to 7.6.47: Update to version 7.6.47 or later.