vendor:
GL.iNet
by:
Michele 'cyberaz0r' Di Bonaventura
6.1
CVSS
HIGH
Arbitrary File Write
22
CWE
Product Name: GL.iNet
Affected Version From: <= 4.3.7
Affected Version To: 4.3.2007
Patch Exists: NO
Related CWE: CVE-2023-46455
CPE: o:gl-inet:gl-inet_firmware:4.3.7
Platforms Tested: GL.iNet AR300M
2023
GL.iNet <= 4.3.7 Arbitrary File Write
The GL.iNet <= 4.3.7 allows an attacker to write arbitrary files. By crafting a specific shadow file and replacing it using the exploit script, the attacker can write to the '/etc/shadow' file. This vulnerability has been assigned CVE-2023-46455.
Mitigation:
Update to a version beyond 4.3.7 to prevent this vulnerability. Avoid exposing the GL.iNet admin panel to the internet.