CVE-2018-19168

Name of the Vulnerable Software and Affected Versions FruityWifi versions through 2.4

Description The issue allows remote attackers to execute arbitrary code with root privileges via a crafted mod name parameter in a POST request to the "/www/modules/save.php" API endpoint. This can be exploited without a valid session.

Recommendations For FruityWifi versions through 2.4, as a temporary workaround, consider restricting access to the "/www/modules/save.php" API endpoint until a patch is available. Avoid using the mod name parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.