Actiontec WCB6200Q Cookie Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Actiontec WCB6200Q routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HTTP server. A crafted Cookie header in an HTTP request can trigger the use of a format specifier from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of the HTTP server. Was ZDI-CAN-21417.
History

Thu, 19 Sep 2024 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Actiontec
Actiontec wcb6200q
Actiontec wcb6200q Firmware
CPEs cpe:2.3:h:actiontec:wcb6200q:-:*:*:*:*:*:*:*
cpe:2.3:o:actiontec:wcb6200q_firmware:1.2l.03.5:*:*:*:*:*:*:*
Vendors & Products Actiontec
Actiontec wcb6200q
Actiontec wcb6200q Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published: 2024-06-18T23:39:02.468Z

Updated: 2024-08-01T21:33:04.866Z

Reserved: 2024-06-18T21:08:52.383Z

Link: CVE-2024-6145

cve-icon Vulnrichment

Updated: 2024-08-01T21:33:04.866Z

cve-icon NVD

Status : Analyzed

Published: 2024-06-19T00:15:50.413

Modified: 2024-09-19T17:50:17.250

Link: CVE-2024-6145

cve-icon Redhat

No data.