The HTTPD binary in multiple ZTE routers has a local file inclusion vulnerability in session_init function. The session -LUA- files are stored in the directory /var/lua_session, the function iterates on all files in this directory and executes them using the function dofile without any validation if it is a valid session file or not. An attacker who is able to write a malicious file in the sessions directory can get RCE as root.
References
Configurations
No configuration.
History
18 Sep 2024, 16:35
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-829 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
Summary |
|
16 Sep 2024, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-16 21:15
Updated : 2024-09-20 12:31
NVD link : CVE-2024-45416
Mitre link : CVE-2024-45416
CVE.ORG link : CVE-2024-45416
JSON object : View
Products Affected
No product.
CWE
CWE-829
Inclusion of Functionality from Untrusted Control Sphere