CVE-2024-28026

Name of the Vulnerable Software and Affected Versions MC LR Router version 2.10.5

Description The issue is related to OS command injection vulnerabilities in the web interface I/O configuration functionality. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these vulnerabilities, specifically through the attacker-controlled out1 parameter. The vulnerability occurs in the code where the out1 parameter is used to construct a command that is executed by the system() function.

Recommendations For MC LR Router version 2.10.5, consider disabling the out1 parameter in the web interface I/O configuration functionality as a temporary workaround until a patch is available. Restrict access to the vulnerable web interface to minimize the risk of exploitation. Avoid using the out1 parameter in authenticated HTTP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.