CVE-2024-39768

Name of the Vulnerable Software and Affected Versions: Wavlink AC3000 version M33A8.V5030.210505

Description: Multiple buffer overflow vulnerabilities exist in the internet.cgi set qos() functionality. A specially crafted HTTP request can lead to stack-based buffer overflow. An attacker can make an authenticated HTTP request to trigger these vulnerabilities. The vulnerability exists in the cli name POST parameter.

Recommendations: For Wavlink AC3000 version M33A8.V5030.210505, as a temporary workaround, consider restricting access to the cli name parameter in the affected HTTP endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.