← Back to CVEs
CVE-2023-33621
MEDIUM5.9
Description
GL.iNET GL-AR750S-Ext firmware v3.215 inserts the admin authentication token into a GET request when the OpenVPN Server config file is downloaded. The token is then left in the browser history or access logs, potentially allowing attackers to bypass authentication via session replay.
CVE Details
CVSS v3.1 Score5.9
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionNONE
Published6/13/2023
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
gl-inet:gl-ar750sgl-inet:gl-ar750s_firmware
Weaknesses (CWE)
CWE-294
References
http://gl-ar750s-ext.com(cve@mitre.org)
http://glinet.com(cve@mitre.org)
https://justinapplegate.me/2023/glinet-CVE-2023-33621/(cve@mitre.org)
http://gl-ar750s-ext.com(af854a3a-2127-422b-91ae-364da2661108)
http://glinet.com(af854a3a-2127-422b-91ae-364da2661108)
https://justinapplegate.me/2023/glinet-CVE-2023-33621/(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.