CVE-2022-30105 Information

Description

In Belkin N300 Firmware 1.00.08 the script located at /setting_hidden.asp which is accessible before and after configuring the device exhibits multiple remote command injection vulnerabilities. The following parameters in the [form name] form; [list vulnerable parameters] are not properly sanitized after being submitted to the web interface in a POST request. With specially crafted parameters it is possible to inject a an OS command which will be executed with root privileges as the web interface and all processes on the device run as root.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://www.exploitee.rs/index.php/Belkin_N300#Remote_Root

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8