What Happened
A weakness was identified in the realpath function of the /rpc file in the Minidlna Service component of GL.iNet GL-MT3000 up to version 4.4.5, allowing for command injection through manipulation of the kube.set argument. Who Is Affected
GL.iNet GL-MT3000 devices up to version 4.4.5 are affected. Severity & Impact
The vulnerability has a CVSS severity score of 4.7, indicating a medium severity level. The attack can be carried out remotely and has low impacts on confidentiality, integrity, and availability. Mitigation
Upgrading to version 4.7 or later is recommended to fix this issue, as the SDK has added global protection to intercept malicious injection starting from version 4.7.