PT-2020-18702 · Ignitenet · Ignitenet Helios Glinq

Derrie Sutton

Published

2020-09-23

Updated

2020-09-29

CVE-2020-5781

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions IgniteNet HeliOS GLinq version 2.2.1 r2961

Description The issue arises from the storage of the langSelection parameter in the luci configuration file (/etc/config/luci) by the authenticator.htmlauth function. This can be modified with arbitrary javascript, leading to a denial-of-service condition for all other users.

Recommendations For IgniteNet HeliOS GLinq version 2.2.1 r2961, consider restricting access to the authenticator.htmlauth function to prevent modification of the langSelection parameter until a patch is available. Avoid using the langSelection parameter in the affected configuration file until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-5781

Affected Products

Ignitenet Helios Glinq

PT-2020-18702 · Ignitenet · Ignitenet Helios Glinq

CVE-2020-5781

Weakness Enumeration

Related Identifiers

Affected Products

References · 3