Filtered by vendor Gl-inet Subscriptions
Total 44 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-31473 1 Gl-inet 64 Gl-a1300, Gl-a1300 Firmware, Gl-ap1300 and 61 more 2024-11-21 4.9 Medium
An issue was discovered on GL.iNet devices before 3.216. There is an arbitrary file write in which an empty file can be created anywhere on the filesystem. This is caused by a command injection vulnerability with a filter applied. Through the software installation feature, it is possible to inject arbitrary parameters in a request to cause opkg to read an arbitrary file name while using root privileges. The -f option can be used with a configuration file.
CVE-2023-31472 1 Gl-inet 64 Gl-a1300, Gl-a1300 Firmware, Gl-ap1300 and 61 more 2024-11-21 7.5 High
An issue was discovered on GL.iNet devices before 3.216. There is an arbitrary file write in which an empty file can be created anywhere on the filesystem. This is caused by a command injection vulnerability with a filter applied.
CVE-2023-31471 1 Gl-inet 64 Gl-a1300, Gl-a1300 Firmware, Gl-ap1300 and 61 more 2024-11-21 9.8 Critical
An issue was discovered on GL.iNet devices before 3.216. Through the software installation feature, it is possible to install arbitrary software, such as a reverse shell, because the restrictions on the available package list are limited to client-side verification. It is possible to install software from the filesystem, the package list, or a URL.
CVE-2023-29778 1 Gl-inet 2 Gl-mt3000, Gl-mt3000 Firmware 2024-11-21 9.8 Critical
GL.iNET MT3000 4.1.0 Release 2 is vulnerable to OS Command Injection via /usr/lib/oui-httpd/rpc/logread.
CVE-2022-44212 1 Gl-inet 1 Goodcloud 2024-11-21 5.9 Medium
In GL.iNet Goodcloud 1.0, insecure design allows remote attacker to access devices' admin panel.
CVE-2022-44211 1 Gl-inet 1 Goodcloud 2024-11-21 7.4 High
In GL.iNet Goodcloud 1.1 Incorrect access control allows a remote attacker to access/change devices' settings.
CVE-2022-42055 1 Gl-inet 1 Goodcloud 2024-11-21 6.5 Medium
Multiple command injection vulnerabilities in GL.iNet GoodCloud IoT Device Management System Version 1.00.220412.00 via the ping and traceroute tools allow attackers to read arbitrary files on the system.
CVE-2022-42054 1 Gl-inet 1 Goodcloud 2024-11-21 5.4 Medium
Multiple stored cross-site scripting (XSS) vulnerabilities in GL.iNet GoodCloud IoT Device Management System Version 1.00.220412.00 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Company Name and Description text fields.
CVE-2022-31898 1 Gl-inet 4 Gl-ax1800, Gl-ax1800 Firmware, Gl-mt300n-v2 and 1 more 2024-11-21 6.8 Medium
gl-inet GL-MT300N-V2 Mango v3.212 and GL-AX1800 Flint v3.214 were discovered to contain multiple command injection vulnerabilities via the ping_addr and trace_addr function parameters.
CVE-2021-44148 1 Gl-inet 2 Gl-ar150, Gl-ar150 Firmware 2024-11-21 6.1 Medium
GL.iNet GL-AR150 2.x before 3.x devices, configured as repeaters, allow cgi-bin/router_cgi?action=scanwifi XSS when an attacker creates an SSID with an XSS payload as the name.
CVE-2019-6275 1 Gl-inet 2 Gl-ar300m-lite, Gl-ar300m-lite Firmware 2024-11-21 N/A
Command injection vulnerability in firmware_cgi in GL.iNet GL-AR300M-Lite devices with firmware 2.27 allows remote attackers to execute arbitrary code.
CVE-2019-6274 1 Gl-inet 2 Gl-ar300m-lite, Gl-ar300m-lite Firmware 2024-11-21 N/A
Directory traversal vulnerability in storage_cgi in GL.iNet GL-AR300M-Lite devices with firmware 2.27 allows remote attackers to have unspecified impact via directory traversal sequences.
CVE-2019-6273 1 Gl-inet 2 Gl-ar300m-lite, Gl-ar300m-lite Firmware 2024-11-21 N/A
download_file in GL.iNet GL-AR300M-Lite devices with firmware 2.27 allows remote attackers to download arbitrary files.
CVE-2019-6272 1 Gl-inet 2 Gl-ar300m-lite, Gl-ar300m-lite Firmware 2024-11-21 N/A
Command injection vulnerability in login_cgi in GL.iNet GL-AR300M-Lite devices with firmware 2.27 allows remote attackers to execute arbitrary code.
CVE-2024-39226 1 Gl-inet 56 A1300, A1300 Firmware, Ap1300 and 53 more 2024-11-12 4.3 Medium
GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a vulnerability can be exploited to manipulate routers by passing malicious shell commands through the s2s API.
CVE-2024-28077 1 Gl-inet 36 A1300, A1300 Firmware, Ar300m and 33 more 2024-10-30 7.5 High
A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. By using special usernames and special characters (such as half parentheses or square brackets), one can call the login interface and cause the session-management program to crash, resulting in customers being unable to log into their devices. This affects MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10, and XE300 4.3.16.
CVE-2024-45262 1 Gl-inet 20 Gl-a1300 Firmware, Gl-ar300m16 Firmware, Gl-ar300m Firmware and 17 more 2024-10-28 8.8 High
An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The params parameter in the call method of the /rpc endpoint is vulnerable to arbitrary directory traversal, which enables attackers to execute scripts under any path.
CVE-2024-45261 1 Gl-inet 20 Gl-a1300 Firmware, Gl-ar300m16 Firmware, Gl-ar300m Firmware and 17 more 2024-10-28 8 High
An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The SID generated for a specific user is not tied to that user itself, which allows other users to potentially use it for authentication. Once an attacker bypasses the application's authentication procedures, they can generate a valid SID, escalate privileges, and gain full control.
CVE-2024-45260 1 Gl-inet 20 Gl-a1300 Firmware, Gl-ar300m16 Firmware, Gl-ar300m Firmware and 17 more 2024-10-28 8 High
An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Users who belong to unauthorized groups can invoke any interface of the device, thereby gaining complete control over it.
CVE-2024-45259 1 Gl-inet 20 Gl-a1300 Firmware, Gl-ar300m16 Firmware, Gl-ar300m Firmware and 17 more 2024-10-28 6.5 Medium
An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. By intercepting an HTTP request and changing the filename property in the download interface, any file on the device can be deleted.