CVE-2022-38132

Published: Aug 23, 2022

Modified: Sep 16, 2024

PUBLISHED

CVSS v3.1

8.2

HIGH

Description

Command injection vulnerability in Linksys MR8300 router while Registration to DDNS Service. By specifying username and password, an attacker connected to the router's web interface can execute arbitrary OS commands. The username and password fields are not sanitized correctly and are used as URL construction arguments, allowing URL redirection to an arbitrary server, downloading an arbitrary script file, and eventually executing the file in the device. This issue affects: Linksys MR8300 Router 1.0.

Vendor	Product	Versions
Linksys	MR8300 Router	affected `Firmware 1.0`

Weaknesses (CWE)

CWE-78

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://downloads.linksys.com/support/assets/releasenotes/MR8300_1.1.10.210186_Customer_ReleaseNotes.txt

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-38132

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References