CVE-2024-39226 Information

Description

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11 MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16 XE300 v4.3.16 E750 v4.3.12 AP1300/S1300 v4.3.13 and XE3000/X3000 v4.4 were discovered to contain insecure permissions in the endpoint /cgi-bin/glc. This vulnerability allows unauthenticated attackers to execute arbitrary code or possibly a directory traversal via crafted JSON data.

Reference

http://ar750ar750sar300mar300m16mt300n-v2b1300mt1300sft1200x750.com https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/s2s%20interface%20shell%20injection.md