CVE-2023-47464

Name of the Vulnerable Software and Affected Versions GL.iNet AX1800 versions 4.0.0 through 4.4.x

Description The issue is related to insecure permissions, allowing a remote attacker to execute arbitrary code via the "upload API function". This can be achieved by sending a request to the "upload file" endpoint, specifying a malicious file in the file parameter and a target directory in the path parameter. Exploitation of this issue may allow an attacker to gain unauthorized access to protected information or execute arbitrary code.

Recommendations For versions 4.0.0 through 4.4.x, update to version 4.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "upload file" endpoint until a patch is available. Avoid using the file and path parameters in the affected API endpoint until the issue is resolved.