Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-41489: IOT_Vulnerability_Discovery/3_csrf.md at main · splashsc/IOT_Vulnerability_Discovery

WAYOS LQ_09 22.03.17V was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to send crafted requests to the server from the affected device. This vulnerability is exploitable due to a lack of authentication in the component Usb_upload.htm.

CVE
#csrf#vulnerability#auth

Permalink

brand:WAYOS

**The firmware link:**http://www.wayos.com/products/LQ09.html 08 07 06 05 04

versions:

LQ_09-22.03.17V LQ_08_A2-22.03.17V LQ_07_A2-22.03.17V LQ_06_A2-22.03.17V LQ_05_A2-22.03.17V LQ_04-22.03.17V

exploit:

Usb_upload.htm is not authenticated

Without authentication, deleting the file will fail, capture the packet to generate CSRF Poc, open it with an authenticated browser, click Submit, and the file will be successfully deleted.

This vulnerability affects all routing gateway devices with USB sharing capabilities and affects both the latest and historical firmware

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda