CVE-2024-39363

Name of the Vulnerable Software and Affected Versions: Wavlink AC3000 version M33A8.V5030.210505

Description: A cross-site scripting (xss) vulnerability exists in the set lang CountryCode() functionality of login.cgi. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

Recommendations: For version M33A8.V5030.210505, as a temporary workaround, consider disabling the set lang CountryCode() function until a patch is available. Restrict access to the login.cgi module to minimize the risk of exploitation. Avoid using the login.cgi endpoint with specially crafted requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.