cve-2024-28077
Vulnerability from cvelistv5
Published
2024-08-26 00:00
Modified
2025-03-14 13:12
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. By using special usernames and special characters (such as half parentheses or square brackets), one can call the login interface and cause the session-management program to crash, resulting in customers being unable to log into their devices. This affects MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10, and XE300 4.3.16.
References
cve@mitre.orghttps://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Denial%20of%20service.mdThird Party Advisory
cve@mitre.orghttps://gl-inet.comProduct
Impacted products
n/an/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-28077",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-14T13:06:19.124374Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-14T13:12:01.317Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. By using special usernames and special characters (such as half parentheses or square brackets), one can call the login interface and cause the session-management program to crash, resulting in customers being unable to log into their devices. This affects MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10, and XE300 4.3.16."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-26T19:29:58.213Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://gl-inet.com"
        },
        {
          "url": "https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Denial%20of%20service.md"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-28077",
    "datePublished": "2024-08-26T00:00:00.000Z",
    "dateReserved": "2024-03-03T00:00:00.000Z",
    "dateUpdated": "2025-03-14T13:12:01.317Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-28077\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2024-08-26T20:15:07.733\",\"lastModified\":\"2025-03-14T14:15:14.653\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A denial-of-service issue was discovered on certain GL-iNet devices. Some websites can detect devices exposed to the external network through DDNS, and consequently obtain the IP addresses and ports of devices that are exposed. By using special usernames and special characters (such as half parentheses or square brackets), one can call the login interface and cause the session-management program to crash, resulting in customers being unable to log into their devices. This affects MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10, and XE300 4.3.16.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 un problema de denegaci\u00f3n de servicio en ciertos dispositivos GL-iNet. Algunos sitios web pueden detectar dispositivos expuestos a la red externa a trav\u00e9s de DDNS y, en consecuencia, obtener las direcciones IP y los puertos de los dispositivos que est\u00e1n expuestos. Al utilizar nombres de usuario especiales y caracteres especiales (como medio par\u00e9ntesis o corchetes), se puede llamar a la interfaz de inicio de sesi\u00f3n y provocar que el programa de administraci\u00f3n de sesiones falle, lo que provocar\u00e1 que los clientes no puedan iniciar sesi\u00f3n en sus dispositivos. Esto afecta a MT6000 4.5.6, XE3000 4.4.5, X3000 4.4.6, MT3000 4.5.0, MT2500 4.5.0, AXT1800 4.5.0, AX1800 4.5.0, A1300 4.5.0, S200 4.1.4-0300, X750 4.3.7, SFT1200 4.3.7, MT1300 4.3.10, AR750 4.3.10, AR750S 4.3.10, AR300M 4.3.10, AR300M16 4.3.10, B1300 4.3.10, MT300N-V2 4.3.10 y XE300 4 .3. 16.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:mt6000_firmware:4.5.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C1C6413-DB3D-4B14-9246-38AA5103615D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:mt6000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CCDE99A6-DA15-4E4B-8C60-CCB9D580BD82\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:x3000_firmware:4.4.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"861A5EB1-2DFF-479C-9202-590DB6E796C9\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:x3000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9479FFAA-9C87-4530-884D-B96055A3D41C\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:xe3000_firmware:4.4.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FB3DD919-EC2B-44CF-AEBD-4EA5A0D52552\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:xe3000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"265EDD5D-B879-4E8A-A6DE-400BC6273A41\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:a1300_firmware:4.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CD782342-ED71-4BD6-97EB-330F14991957\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:a1300:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D6DBF472-E98E-4E00-B6A0-6D8FA1678AEA\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:ax1800_firmware:4.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5AE60C1C-957D-472A-BB66-21DA80B97099\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:ax1800:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BCB312FD-370C-4DF9-961F-F0C4920AA368\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:axt1800_firmware:4.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AED7B3A1-7DEB-4DB0-AA6E-7D27434BD2CD\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:axt1800:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF453954-BC32-4577-8CE4-066812193495\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:mt2500_firmware:4.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9C4B6800-8A1B-4522-B5E0-9CC4C09DBA2A\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:mt2500:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3ADF5BF3-0F52-4947-8BC2-3505EDEEDF28\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:mt3000_firmware:4.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"79D3F6BA-60D2-495A-8C74-7E74D3DB25A7\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:mt3000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AFF2DBFD-2AE0-41BC-B614-9836098119F4\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:xe300_firmware:4.3.16:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"96241919-0E87-4966-B94F-58DA4DFDA607\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:xe300:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"57D82B62-F057-42A4-8530-86145AE91AC2\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:x750_firmware:4.3.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0CB74B0F-E141-403A-B480-5B48B9040D4E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:x750:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D1EDFF0-F67C-4801-815C-309940BD7338\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:sft1200_firmware:4.3.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9AE590D9-C0AB-4E3E-8E03-DBF12445AA0B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:sft1200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E656351D-E06E-435F-B1E5-34B89FD8B54B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:ar300m_firmware:4.3.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E53CE790-1466-4BB0-933B-33B531C0DD55\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:ar300m:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F040AC86-5D7A-4E57-B272-A425DDDE1698\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"83E73FCD-31F7-4BE9-8D16-FB4FDAC685BF\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA3E349B-C40F-4DE6-B977-CF677B2F9814\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:ar750_firmware:4.3.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"993B06A2-2BB4-4EBC-904E-802001D9DFEC\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:ar750:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"749A6936-392E-430C-ABD3-33D4C5B3D178\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:ar750s_firmware:4.3.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AD8F61AA-DE3B-44DC-AE73-7D8E807F918E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:ar750s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F18E5F1D-55CD-4F6A-A349-90DD27B29955\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:b1300_firmware:4.3.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C1EDB92-F871-4F92-B5CB-9DE24A908D8C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:b1300:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A47EFE3F-D217-469E-BEE6-5D78037C71C3\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:mt1300_firmware:4.3.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CE0558E6-FAC8-4569-9AA4-C96823E591C8\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:mt1300:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5CECA41F-E807-4234-8C41-477DE132210E\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:gl-inet:mt300n-v2_firmware:4.3.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F5BB0698-5585-4511-88EA-7C265EF22F10\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:gl-inet:mt300n-v2:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"797DD304-0AF8-4E2C-8F72-ADF31B8AD6F4\"}]}]}],\"references\":[{\"url\":\"https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Denial%20of%20service.md\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://gl-inet.com\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.