Gl\-Mt3000_firmware - Vulncode-DB

Note:

This project will be discontinued after December 13, 2021. [more]

Product:
Gl\-Mt3000_firmware
(Gl\-Inet)

Repositories	Unknown: This might be proprietary software.
#Vulnerabilities	13

Date	Id	Summary	Products	Score	Patch	Annotated
2024-01-03	CVE-2023-50921	An issue was discovered on GL.iNet devices through 4.5.0. Attackers can invoke the add_user interface in the system module to gain root privileges. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.	Gl\-A1300_firmware, Gl\-Ar300m_firmware, Gl\-Ar750_firmware, Gl\-Ar750s_firmware, Gl\-Ax1800_firmware, Gl\-Axt1800_firmware, Gl\-B1300_firmware, Gl\-Mt1300_firmware, Gl\-Mt2500_firmware, Gl\-Mt3000_firmware, Gl\-Mt300n\-V2_firmware, Gl\-Mt6000_firmware	9.8
2024-01-12	CVE-2023-50920	An issue was discovered on GL.iNet devices before version 4.5.0. They assign the same session ID after each user reboot, allowing attackers to share session identifiers between different sessions and bypass authentication or access control measures. Attackers can impersonate legitimate users or perform unauthorized actions. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7,...	Gl\-A1300_firmware, Gl\-Ar300m_firmware, Gl\-Ar750_firmware, Gl\-Ar750s_firmware, Gl\-Ax1800_firmware, Gl\-Axt1800_firmware, Gl\-B1300_firmware, Gl\-Mt1300_firmware, Gl\-Mt2500_firmware, Gl\-Mt3000_firmware, Gl\-Mt300n\-V2_firmware, Gl\-Mt6000_firmware	5.5
2024-01-03	CVE-2023-50922	An issue was discovered on GL.iNet devices through 4.5.0. Attackers who are able to steal the AdminToken cookie can execute arbitrary code by uploading a crontab-formatted file to a specific directory and waiting for its execution. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.	Gl\-A1300_firmware, Gl\-Ar300m_firmware, Gl\-Ar750_firmware, Gl\-Ar750s_firmware, Gl\-Ax1800_firmware, Gl\-Axt1800_firmware, Gl\-B1300_firmware, Gl\-Mt1300_firmware, Gl\-Mt2500_firmware, Gl\-Mt3000_firmware, Gl\-Mt300n\-V2_firmware, Gl\-Mt6000_firmware	7.2
2024-01-12	CVE-2023-50919	An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.	Gl\-A1300_firmware, Gl\-Ar300m_firmware, Gl\-Ar750_firmware, Gl\-Ar750s_firmware, Gl\-Ax1800_firmware, Gl\-Axt1800_firmware, Gl\-B1300_firmware, Gl\-Mt1300_firmware, Gl\-Mt2500_firmware, Gl\-Mt3000_firmware, Gl\-Mt300n\-V2_firmware, Gl\-Mt6000_firmware	9.8
2023-05-02	CVE-2023-29778	GL.iNET MT3000 4.1.0 Release 2 is vulnerable to OS Command Injection via /usr/lib/oui-httpd/rpc/logread.	Gl\-Mt3000_firmware	9.8
2023-05-09	CVE-2023-31472	An issue was discovered on GL.iNet devices before 3.216. There is an arbitrary file write in which an empty file can be created anywhere on the filesystem. This is caused by a command injection vulnerability with a filter applied.	Gl\-A1300_firmware, Gl\-Ap1300_firmware, Gl\-Ap1300lte_firmware, Gl\-Ar300m_firmware, Gl\-Ar750_firmware, Gl\-Ar750s_firmware, Gl\-Ax1800_firmware, Gl\-Axt1800_firmware, Gl\-B1300_firmware, Gl\-B2200_firmware, Gl\-E750_firmware, Gl\-Mifi_firmware, Gl\-Mt1300_firmware, Gl\-Mt2500_firmware, Gl\-Mt2500a_firmware, Gl\-Mt3000_firmware, Gl\-Mt300n\-V2_firmware, Gl\-Mv1000_firmware, Gl\-Mv1000w_firmware, Gl\-S10_firmware, Gl\-S1300_firmware, Gl\-S200_firmware, Gl\-S20_firmware, Gl\-Sf1200_firmware, Gl\-Sft1200_firmware, Gl\-Usb150_firmware, Gl\-X1200_firmware, Gl\-X3000_firmware, Gl\-X300b_firmware, Gl\-X750_firmware, Gl\-Xe300_firmware, Microuter\-N300_firmware	7.5
2023-05-09	CVE-2023-31474	An issue was discovered on GL.iNet devices before 3.216. Through the software installation feature, it is possible to inject arbitrary parameters in a request to cause opkg to obtain a list of files in a specific directory, by using the regex feature in a package name.	Gl\-A1300_firmware, Gl\-Ap1300_firmware, Gl\-Ap1300lte_firmware, Gl\-Ar300m_firmware, Gl\-Ar750_firmware, Gl\-Ar750s_firmware, Gl\-Ax1800_firmware, Gl\-Axt1800_firmware, Gl\-B1300_firmware, Gl\-B2200_firmware, Gl\-E750_firmware, Gl\-Mifi_firmware, Gl\-Mt1300_firmware, Gl\-Mt2500_firmware, Gl\-Mt2500a_firmware, Gl\-Mt3000_firmware, Gl\-Mt300n\-V2_firmware, Gl\-Mv1000_firmware, Gl\-Mv1000w_firmware, Gl\-S10_firmware, Gl\-S1300_firmware, Gl\-S200_firmware, Gl\-S20_firmware, Gl\-Sf1200_firmware, Gl\-Sft1200_firmware, Gl\-Usb150_firmware, Gl\-X1200_firmware, Gl\-X3000_firmware, Gl\-X300b_firmware, Gl\-X750_firmware, Gl\-Xe300_firmware, Microuter\-N300_firmware	7.5
2023-05-09	CVE-2023-31478	An issue was discovered on GL.iNet devices before 3.216. An API endpoint reveals information about the Wi-Fi configuration, including the SSID and key.	Gl\-A1300_firmware, Gl\-Ap1300_firmware, Gl\-Ap1300lte_firmware, Gl\-Ar300m_firmware, Gl\-Ar750_firmware, Gl\-Ar750s_firmware, Gl\-Ax1800_firmware, Gl\-Axt1800_firmware, Gl\-B1300_firmware, Gl\-B2200_firmware, Gl\-E750_firmware, Gl\-Mifi_firmware, Gl\-Mt1300_firmware, Gl\-Mt2500_firmware, Gl\-Mt2500a_firmware, Gl\-Mt3000_firmware, Gl\-Mt300n\-V2_firmware, Gl\-Mv1000_firmware, Gl\-Mv1000w_firmware, Gl\-S10_firmware, Gl\-S1300_firmware, Gl\-S200_firmware, Gl\-S20_firmware, Gl\-Sf1200_firmware, Gl\-Sft1200_firmware, Gl\-Usb150_firmware, Gl\-X1200_firmware, Gl\-X3000_firmware, Gl\-X300b_firmware, Gl\-X750_firmware, Gl\-Xe300_firmware, Microuter\-N300_firmware	7.5
2023-05-10	CVE-2023-31471	An issue was discovered on GL.iNet devices before 3.216. Through the software installation feature, it is possible to install arbitrary software, such as a reverse shell, because the restrictions on the available package list are limited to client-side verification. It is possible to install software from the filesystem, the package list, or a URL.	Gl\-A1300_firmware, Gl\-Ap1300_firmware, Gl\-Ap1300lte_firmware, Gl\-Ar300m_firmware, Gl\-Ar750_firmware, Gl\-Ar750s_firmware, Gl\-Ax1800_firmware, Gl\-Axt1800_firmware, Gl\-B1300_firmware, Gl\-B2200_firmware, Gl\-E750_firmware, Gl\-Mifi_firmware, Gl\-Mt1300_firmware, Gl\-Mt2500_firmware, Gl\-Mt2500a_firmware, Gl\-Mt3000_firmware, Gl\-Mt300n\-V2_firmware, Gl\-Mv1000_firmware, Gl\-Mv1000w_firmware, Gl\-S10_firmware, Gl\-S1300_firmware, Gl\-S200_firmware, Gl\-S20_firmware, Gl\-Sf1200_firmware, Gl\-Sft1200_firmware, Gl\-Usb150_firmware, Gl\-X1200_firmware, Gl\-X3000_firmware, Gl\-X300b_firmware, Gl\-X750_firmware, Gl\-Xe300_firmware, Microuter\-N300_firmware	9.8
2023-05-11	CVE-2023-31477	A path traversal issue was discovered on GL.iNet devices before 3.216. Through the file sharing feature, it is possible to share an arbitrary directory, such as /tmp or /etc, because there is no server-side restriction to limit sharing to the USB path.	Gl\-A1300_firmware, Gl\-Ap1300_firmware, Gl\-Ap1300lte_firmware, Gl\-Ar300m_firmware, Gl\-Ar750_firmware, Gl\-Ar750s_firmware, Gl\-Ax1800_firmware, Gl\-Axt1800_firmware, Gl\-B1300_firmware, Gl\-B2200_firmware, Gl\-E750_firmware, Gl\-Mifi_firmware, Gl\-Mt1300_firmware, Gl\-Mt2500_firmware, Gl\-Mt2500a_firmware, Gl\-Mt3000_firmware, Gl\-Mt300n\-V2_firmware, Gl\-Mv1000_firmware, Gl\-Mv1000w_firmware, Gl\-S10_firmware, Gl\-S1300_firmware, Gl\-S200_firmware, Gl\-S20_firmware, Gl\-Sf1200_firmware, Gl\-Sft1200_firmware, Gl\-Usb150_firmware, Gl\-X1200_firmware, Gl\-X3000_firmware, Gl\-X300b_firmware, Gl\-X750_firmware, Gl\-Xe300_firmware, Microuter\-N300_firmware	7.5