CVE-2022-26782

Name of the Vulnerable Software and Affected Versions InRouter302 version 3.5.4

Description The issue is related to improper input validation vulnerabilities in the libnvram.so nvram import functionality and the httpd's user define set item function. A specially-crafted file can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability. Controlling the user define timeout nvram variable can also lead to remote code execution.

Recommendations For InRouter302 version 3.5.4, consider disabling the nvram import functionality and restricting access to the httpd's user define set item function until a patch is available. Avoid using the user define timeout nvram variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.