Security Advisories (Vulnerabilities and CVEs) April 29 2024
Dear all,
In this post, you will find a list of vulnerabilities and CVEs we've recently found on particular GL.iNet router models. Note that this does not include CVEs from OpenWrt.
Please check the firmware versions affected by the vulnerabilities and CVEs. If you're affected, you are strongly advised to upgrade your router to the firmware version containing the fixes as soon as possible.
| Model Number | Affected Firmware Version | Resolved Firmware Version |
|---|---|---|
| GL-MT6000 | V4.5.3 and earlier | V4.5.8 |
| GL-E750/GL-E750V2 Mudi | V4.3.8 and earlier | V4.3.12 |
| GL-X3000 Spitz AX | V4.4.6 and earlier | V4.4.8 |
| GL-XE3000 Puli AX | ||
| GL-A1300 Slate Plus | V4.4.6 and earlier | V4.5.16 |
| GL-AX1800 Flint | ||
| GL-AXT1800 Slate AX | ||
| GL-MT2500 Brume 2 | ||
| GL-MT3000 Beryl AX | ||
| GL-XE300 Puli | V3.217 and earlier | V4.3.16 |
| GL-X750 Spitz | V3.217 and earlier | V4.3.11 |
| GL-SFT1200 Opal | ||
| GL-AR300M Shadow | V4.3.7 and earlier | V4.3.11 |
| GL-AR750 Creta | ||
| GL-AR750S-EXT Slate | ||
| GL-B1300 Convexa-B | ||
| GL-MT1300 Beryl | ||
| GL-MT300N-V2 Mango |
CVE-2023-46454
- Summary: Allow arbitrary shell commands to be executed through carefully crafted package names vulnerability
- Credit to: Michele Di Bonaventura https://cyberaz0r.info/
CVE-2023-46455/CVE-2023-46456
- Summary: Path traversal in the OpenVPN client file upload could lead to arbitrary file writes vulnerability
- Credit to: Michele Di Bonaventura https://cyberaz0r.info/
CVE-2023-47463
- Summary: Unauthorized remote code inclusion vulnerability in the webDAV file server
- Credit to: Kevin Stephens
CVE-2023-47464
- Summary: Arbitrary upload files allow to be created or modified through the API vulnerability
- Credit to: San Bagheri https://hadess.io
CVE-2023-50919
(Extremely severe. Only router models running firmware v4.x are affected.)
- Summary: Bypassing Nginx authentication through a Lua string pattern matching vulnerability
- Credit to: Daniele Linguaglossa https://libdzonerzy.so/
CVE-2023-50920
(Severe. Only router models running firmware v4.x are affected.)
- Summary: Bypassing authentication or access control measures by assigning the same session ID vulnerability
- Credit to: Daniele Linguaglossa https://libdzonerzy.so/
CVE-2023-50921
(Severe. Only router models running firmware v4.x are affected.)
- Summary: Allow root access by calling the add_user interface in the system module vulnerability
- Credit to: Daniele Linguaglossa https://libdzonerzy.so/
CVE-2023-50922
- Summary: Remote code execution by a crontab-formatted file with AdminToken cookie vulnerability
- Credit to: ropbear https://selfhosted.systems
CVE-2023-50445
- Summary: Injection vulnerability in the gl_system_log and gl_crash_log and upgrade_online interface
- Credit to: ropbear https://selfhosted.systems
CVE-2024-27356
(Severe. Only router models running firmware v4.x are affected.)
- Summary: This vulnerability allows unauthenticated user to download a full log archive
- Credit to: Bandar Alharbi https://github.com/aggressor0
To report any bugs or security vulnerabilities, please send us an email at security@gl-inet.com. We have a 90-day vulnerability disclosure policy to ensure the security of our customers.