CVE-2008-1247

Currently unrated

Key Information:

Vendor: Linksys
Status: Wrt54g
Vendor: CVE Published:; 10 March 2008

Summary

The web interface on the Linksys WRT54g router with firmware 1.00.9 does not require credentials when invoking scripts, which allows remote attackers to perform arbitrary administrative actions via a direct request to (1) Advanced.tri, (2) AdvRoute.tri, (3) Basic.tri, (4) ctlog.tri, (5) ddns.tri, (6) dmz.tri, (7) factdefa.tri, (8) filter.tri, (9) fw.tri, (10) manage.tri, (11) ping.tri, (12) PortRange.tri, (13) ptrigger.tri, (14) qos.tri, (15) rstatus.tri, (16) tracert.tri, (17) vpn.tri, (18) WanMac.tri, (19) WBasic.tri, or (20) WFilter.tri. NOTE: the Security.tri vector is already covered by CVE-2006-5202.

References

http://www.securityfocus.com/archive/1/489009/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://secunia.com/advisories/29344

third-party-advisoryx_refsource_SECUNIA

http://kinqpinz.info/lib/wrt54g/own.txt

x_refsource_MISC

EPSS Score

13% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Mar 10, 2008
Vulnerability Reserved
Mar 10, 2008