CVE-2018-17317
CRITICALFruityWifi 2.1 - OS Command Injection via Multiple Parameters
Title source: llmDescription
FruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the io_mode, ap_mode, io_action, io_in_iface, io_in_set, io_in_ip, io_in_mask, io_in_gw, io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /www/script/config_iface.php, or the newSSID, hostapd_secure, hostapd_wpa_passphrase, or supplicant_ssid parameter to /www/page_config.php.
References (3)
Core 3
Core References
Issue Tracking x_refsource_misc
https://github.com/xtr4nge/FruityWifi/issues/276
Exploit, Third Party Advisory x_refsource_misc
https://github.com/PatatasFritas/PatataWifi/issues/1
Exploit, Third Party Advisory x_refsource_misc
http://blog.51cto.com/010bjsoft/2175710
Scores
CVSS v3
9.8
EPSS
0.0431
EPSS Percentile
89.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
fruitywifi_project/fruitywifi
2.1
Published
Sep 21, 2018
Tracked Since
Feb 18, 2026