CVE-2023-50445

Name of the Vulnerable Software and Affected Versions GL.iNet A1300 versions 4.4.6 GL.iNet AX1800 versions 4.4.6 GL.iNet AXT1800 versions 4.4.6 GL.iNet MT3000 versions 4.4.6 GL.iNet MT2500 versions 4.4.6 GL.iNet MT6000 versions 4.5.0 GL.iNet MT1300 versions 4.3.7 GL.iNet MT300N-V2 versions 4.3.7 GL.iNet AR750S versions 4.3.7 GL.iNet AR750 versions 4.3.7 GL.iNet AR300M versions 4.3.7 GL.iNet B1300 versions 4.3.7

Description The issue allows local attackers to execute arbitrary code via the get system log and get crash log functions of the logread module, as well as the upgrade online function of the upgrade module. This is due to the lack of measures to neutralize special elements used in the operating system command. Exploitation of the issue may allow an attacker to execute arbitrary code. Approximately 36,128 devices are potentially affected, mainly distributed in the United States, China, and other countries.

Recommendations For GL.iNet A1300 version 4.4.6, consider disabling the get system log and get crash log functions of the logread module, as well as the upgrade online function of the upgrade module, until a patch is available. For GL.iNet AX1800 version 4.4.6, consider disabling the get system log and get crash log functions of the logread module, as well as the upgrade online function of the upgrade module, until a patch is available. For GL.iNet AXT1800 version 4.4.6, consider disabling the get system log and get crash log functions of the logread module, as well as the upgrade online function of the upgrade module, until a patch is available. For GL.iNet MT3000 version 4.4.6, consider disabling the get system log and get crash log functions of the logread module, as well as the upgrade online function of the upgrade module, until a patch is available. For GL.iNet MT2500 version 4.4.6, consider disabling the get system log and get crash log functions of the logread module, as well as the upgrade online function of the upgrade module, until a patch is available. For GL.iNet MT6000 version 4.5.0, consider disabling the get system log and get crash log functions of the logread module, as well as the upgrade online function of the upgrade module, until a patch is available. For GL.iNet MT1300 version 4.3.7, consider disabling the get system log and get crash log functions of the logread module, as well as the upgrade online function of the upgrade module, until a patch is available. For GL.iNet MT300N-V2 version 4.3.7, consider disabling the get system log and get crash log functions of the logread module, as well as the upgrade online function of the upgrade module, until a patch is available. For GL.iNet AR750S version 4.3.7, consider disabling the get system log and get crash log functions of the logread module, as well as the upgrade online function of the upgrade module, until a patch is available. For GL.iNet AR750 version 4.3.7, consider disabling the get system log and get crash log functions of the logread module, as well as the upgrade online function of the upgrade module, until a patch is available. For GL.iNet AR300M version 4.3.7, consider disabling the get system log and get crash log functions of the logread module, as well as the upgrade online function of the upgrade module, until a patch is available. For GL.iNet B1300 version 4.3.7, consider disabling the get system log and get crash log functions of the logread module, as well as the upgrade online function of the upgrade module, until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.