CVE-2022-30105

In Belkin N300 Firmware 1.00.08, the script located at /setting_hidden.asp, which is accessible before and after configuring the device, exhibits multiple remote command injection vulnerabilities. The following parameters in the [form name] form; [list vulnerable parameters], are not properly sanitized after being submitted to the web interface in a POST request. With specially crafted parameters, it is possible to inject a an OS command which will be executed with root privileges, as the web interface, and all processes on the device, run as root.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:belkin:n300_firmware:1.00.08:*:*:*:*:*:*:*
cpe:2.3:h:belkin:n300:-:*:*:*:*:*:*:*

History

21 Nov 2024, 07:02

Type Values Removed Values Added
References () https://www.exploitee.rs/index.php/Belkin_N300#Remote_Root - Exploit, Third Party Advisory () https://www.exploitee.rs/index.php/Belkin_N300#Remote_Root - Exploit, Third Party Advisory

Information

Published : 2022-05-18 16:15

Updated : 2024-11-21 07:02


NVD link : CVE-2022-30105

Mitre link : CVE-2022-30105

CVE.ORG link : CVE-2022-30105


JSON object : View

Products Affected

belkin

  • n300_firmware
  • n300
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')