PT-2023-26647 · Comfast · Comfast Cf-Xr11
Tty
+1
·
Published
2023-08-15
·
Updated
2023-08-22
·
CVE-2023-38866
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
COMFAST CF-XR11 version 2.7.2
Description
The issue is a command injection vulnerability detected at the function sub 415588. Attackers can send POST request messages to the /usr/bin/webmgnt endpoint and inject commands into the parameters
interface and display name.Recommendations
For COMFAST CF-XR11 version 2.7.2, as a temporary workaround, consider restricting access to the /usr/bin/webmgnt endpoint to minimize the risk of exploitation. Avoid using the parameters
interface and display name in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Comfast Cf-Xr11