CVE-2023-35194— Peplink Surf SOHO HW1 操作系统命令注入漏洞

N/A

An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the `system` call in the file `/web/MANGA/cgi-bin/api.cgi` for firmware version 6.3.5 at offset `0x4bde44`.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Peplink Surf SOHO HW1 操作系统命令注入漏洞

Peplink Surf SOHO HW1是Peplink公司的一款小型路由器。 Peplink Surf SOHO HW1 v6.3.5版本存在操作系统命令注入漏洞，该漏洞源于api.cgi cmd.mvpn.x509.write功能存在操作系统命令注入漏洞。攻击者可利用该漏洞通过特制HTTP请求执行命令。

N/A

N/A