CVE-2024-39790

Jan. 14, 2025, 3:15 p.m.

9.1
Critical

Description

Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists within the `ftp_max_sessions` POST parameter.

Product(s) Impacted

Product Versions
Wavlink AC3000 M33A8
  • V5030.210505

Weaknesses

CWE-15
External Control of System or Configuration Setting
One or more system settings or configuration elements can be externally controlled by a user.

References

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2056

Tags

talos-cna@cisco.com
CWE-15
2025-01-14
CVE-2024-39790

CVSS Score

9.1 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: HIGH
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Date

  • Published: Jan. 14, 2025, 3:15 p.m.
  • Last Modified: Jan. 14, 2025, 3:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

talos-cna@cisco.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.