The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the session state is shared. If any other user is currently logged in, the anonymous user can execute commands in the context of the authenticated one. If the logged in user has administrative privileges, it is possible to use webadmin service configuration commands to create a new admin user with a chosen password.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: CERT-PL
Published: 2024-01-12T14:23:53.922Z
Updated: 2024-08-02T21:53:44.978Z
Reserved: 2023-11-24T11:53:46.294Z
Link: CVE-2023-49255
Vulnrichment
No data.
NVD
Status : Modified
Published: 2024-01-12T15:15:09.083
Modified: 2024-11-21T08:33:07.887
Link: CVE-2023-49255
Redhat
No data.