CVE-2024-28077
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/08/2024
Last modified:
14/03/2025
Description
A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. By using special usernames and special characters (such as half parentheses or square brackets), one can call the login interface and cause the session-management program to crash, resulting in customers being unable to log into their devices. This affects MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10, and XE300 4.3.16.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:gl-inet:mt6000_firmware:4.5.6:*:*:*:*:*:*:* | ||
| cpe:2.3:h:gl-inet:mt6000:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gl-inet:x3000_firmware:4.4.6:*:*:*:*:*:*:* | ||
| cpe:2.3:h:gl-inet:x3000:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gl-inet:xe3000_firmware:4.4.4:*:*:*:*:*:*:* | ||
| cpe:2.3:h:gl-inet:xe3000:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gl-inet:a1300_firmware:4.5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:h:gl-inet:a1300:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gl-inet:ax1800_firmware:4.5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:h:gl-inet:ax1800:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gl-inet:axt1800_firmware:4.5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:h:gl-inet:axt1800:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gl-inet:mt2500_firmware:4.5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:h:gl-inet:mt2500:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gl-inet:mt3000_firmware:4.5.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page