CVE-2023-50922

Name of the Vulnerable Software and Affected Versions GL.iNet devices versions 4.3.7 through 4.5.0

Description An issue was discovered on GL.iNet devices. Attackers who are able to steal the AdminToken cookie can execute arbitrary code by uploading a crontab-formatted file to a specific directory and waiting for its execution. This affects various GL.iNet device models.

Recommendations For versions 4.3.7 through 4.5.0, as a temporary workaround, consider restricting access to the directory where crontab-formatted files are uploaded until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.