Wl Wn578w2
Monthly
A Stored/Reflected Cross-Site Scripting (XSS) vulnerability exists in the Wavlink WL-WN578W2 wireless router (firmware version 221110 and potentially others) within the POST request handler of /cgi-bin/login.cgi. An attacker with high privileges can manipulate the homepage, hostname, or login_page parameters to inject malicious JavaScript that executes in the context of other users' browsers. A proof-of-concept has been publicly disclosed on GitHub, and the vendor has not responded to early disclosure notifications, leaving affected devices unpatched.
Wavlink WL-WN578W2 routers contain a command injection vulnerability in the /cgi-bin/firewall.cgi POST handler that allows authenticated attackers to execute arbitrary commands by manipulating the dmz_flag or del_flag parameters. The vulnerability is remotely exploitable and has public exploit code available, though no patch has been released. An attacker with network access and valid credentials could achieve code execution with the privileges of the web service.
Critical command injection vulnerability in Wavlink WL-WN578W2 wireless routers (firmware version 221110) that allows unauthenticated remote attackers to execute arbitrary commands via specially crafted POST requests to multiple functions in the wireless.cgi script. A public proof-of-concept exploit is available on GitHub, and the vendor has released a patch, making this a high-priority issue for immediate remediation despite no current KEV listing.
A Stored/Reflected Cross-Site Scripting (XSS) vulnerability exists in the Wavlink WL-WN578W2 wireless router (firmware version 221110 and potentially others) within the POST request handler of /cgi-bin/login.cgi. An attacker with high privileges can manipulate the homepage, hostname, or login_page parameters to inject malicious JavaScript that executes in the context of other users' browsers. A proof-of-concept has been publicly disclosed on GitHub, and the vendor has not responded to early disclosure notifications, leaving affected devices unpatched.
Wavlink WL-WN578W2 routers contain a command injection vulnerability in the /cgi-bin/firewall.cgi POST handler that allows authenticated attackers to execute arbitrary commands by manipulating the dmz_flag or del_flag parameters. The vulnerability is remotely exploitable and has public exploit code available, though no patch has been released. An attacker with network access and valid credentials could achieve code execution with the privileges of the web service.
Critical command injection vulnerability in Wavlink WL-WN578W2 wireless routers (firmware version 221110) that allows unauthenticated remote attackers to execute arbitrary commands via specially crafted POST requests to multiple functions in the wireless.cgi script. A public proof-of-concept exploit is available on GitHub, and the vendor has released a patch, making this a high-priority issue for immediate remediation despite no current KEV listing.