CVE-2021-36707

Name of the Vulnerable Software and Affected Versions ProLink PRC2402M versions 1.0.18 and older

Description The issue concerns a command injection in the set ledonoff function within the adm.cgi binary. This function is accessible with a page parameter value of ledonoff. The led cmd parameter's value is passed directly to do system(), allowing for a trivial command injection.

Recommendations For ProLink PRC2402M versions 1.0.18 and older, as a temporary workaround, consider restricting access to the adm.cgi binary or disabling the set ledonoff function until a patch is available. Avoid using the led cmd parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.