CVE-2024-48418

In Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06, the request /goform/fromSetDDNS does not properly handle special characters in any of user provided parameters, allowing an attacker with access to the web interface to inject and execute arbitrary shell commands.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:edimax:br-6476ac_firmware:1.06:*:*:*:*:*:*:*
cpe:2.3:h:edimax:br-6476ac:-:*:*:*:*:*:*:*

History

28 May 2025, 17:53

Type Values Removed Values Added
First Time Edimax br-6476ac
Edimax br-6476ac Firmware
Edimax
References () http://edimax.com - () http://edimax.com - Product
References () https://github.com/SpikeReply/advisories/blob/c271ddb997bc0263274118acc380bc71ce9c316b/cve/edimax/cve-2024-48418.md - () https://github.com/SpikeReply/advisories/blob/c271ddb997bc0263274118acc380bc71ce9c316b/cve/edimax/cve-2024-48418.md - Exploit, Third Party Advisory
CPE cpe:2.3:o:edimax:br-6476ac_firmware:1.06:*:*:*:*:*:*:*
cpe:2.3:h:edimax:br-6476ac:-:*:*:*:*:*:*:*

28 Jan 2025, 20:15

Type Values Removed Values Added
Summary
  • (es) En Edimax AC1200 Wi-Fi 5 Dual-Band router BR-6476AC 1.06, la solicitud /goform/fromSetDDNS no gestiona correctamente los caracteres especiales en ninguno de los parámetros proporcionados por el usuario, lo que permite que un atacante con acceso a la interfaz web inyecte y ejecute comandos de shell arbitrarios.
CWE CWE-352
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8

27 Jan 2025, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-01-27 17:15

Updated : 2025-05-28 17:53


NVD link : CVE-2024-48418

Mitre link : CVE-2024-48418

CVE.ORG link : CVE-2024-48418


JSON object : View

Products Affected

edimax

  • br-6476ac_firmware
  • br-6476ac
CWE
CWE-352

Cross-Site Request Forgery (CSRF)