CVE-2024-39363
Published: 14 January 2025
Description
A cross-site scripting (xss) vulnerability exists in the login.cgi set_lang_CountryCode() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
Security Summary
CVE-2024-39363 is a cross-site scripting (XSS) vulnerability in the login.cgi set_lang_CountryCode() functionality of the Wavlink AC3000 router running firmware version M33A8.V5030.210505. The flaw allows a specially crafted HTTP request to trigger the issue, resulting in the disclosure of sensitive information. It is rated with a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-80.
An unauthenticated attacker can exploit this vulnerability remotely over the network by sending a malicious HTTP request, which requires user interaction such as clicking a crafted link or visiting a malicious site. Successful exploitation leads to the disclosure of sensitive information, with potential high impacts on confidentiality, integrity, and availability due to the changed scope.
Talos Intelligence has published detailed vulnerability reports on this issue at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2017 and https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2017, which security practitioners should consult for additional technical details and recommended mitigations.
Details
- CWE(s)