CVE-2022-38132
CVSS V2 None
CVSS V3 High 8.8
Description
Command injection vulnerability in Linksys MR8300 router while Registration to DDNS Service. By specifying username and password, an attacker connected to the router's web interface can execute arbitrary OS commands. The username and password fields are not sanitized correctly and are used as URL construction arguments, allowing URL redirection to an arbitrary server, downloading an arbitrary script file, and eventually executing the file in the device. This issue affects: Linksys MR8300 Router 1.0.
Overview
- CVE ID
- CVE-2022-38132
- Assigner
- info@cybellum.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-08-24T00:15:08
- Last Modified Date
- 2022-08-29T15:52:00
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| AND | ||||
| cpe:2.3:o:linksys:mr8300_firmware:1.0:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:h:linksys:mr8300:-:*:*:*:*:*:*:* | 0 | OR |
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Attack Vector
- LOCAL
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- CHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- HIGH
- Base Score
- 8.8
- Base Severity
- HIGH
- Exploitability Score
- 2
- Impact Score
- 6
References
| Reference URL | Reference Tags |
|---|---|
| https://downloads.linksys.com/support/assets/releasenotes/MR8300_1.1.10.210186_Customer_ReleaseNotes.txt |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-38132 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38132 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-08-24 01:00:06 | Added to TrackCVE |