CVE-2022-38132 — HIGH (8.2)

Vulnerability Description

Command injection vulnerability in Linksys MR8300 router while Registration to DDNS Service. By specifying username and password, an attacker connected to the router's web interface can execute arbitrary OS commands. The username and password fields are not sanitized correctly and are used as URL construction arguments, allowing URL redirection to an arbitrary server, downloading an arbitrary script file, and eventually executing the file in the device. This issue affects: Linksys MR8300 Router 1.0.

CVSS Score

8.2

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Linksys	Mr8300 Firmware	1.0
Linksys	Mr8300	-

Related Weaknesses (CWE)

CWE-78

References

https://downloads.linksys.com/support/assets/releasenotes/MR8300_1.1.10.210186_CRelease NotesVendor Advisory
https://downloads.linksys.com/support/assets/releasenotes/MR8300_1.1.10.210186_CRelease NotesVendor Advisory

FAQ

What is CVE-2022-38132?

CVE-2022-38132 is a vulnerability with a CVSS score of 8.2 (HIGH). Command injection vulnerability in Linksys MR8300 router while Registration to DDNS Service. By specifying username and password, an attacker connected to the router's web interface can execute arbitr...

How severe is CVE-2022-38132?

CVE-2022-38132 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-38132?

Check the references section above for vendor advisories and patch information. Affected products include: Linksys Mr8300 Firmware, Linksys Mr8300.