CVE-2018-17317

CRITICAL

FruityWifi 2.1 - OS Command Injection via Multiple Parameters

Title source: llm
STIX 2.1

Description

FruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the io_mode, ap_mode, io_action, io_in_iface, io_in_set, io_in_ip, io_in_mask, io_in_gw, io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /www/script/config_iface.php, or the newSSID, hostapd_secure, hostapd_wpa_passphrase, or supplicant_ssid parameter to /www/page_config.php.

References (3)

Core 3
Core References
Issue Tracking x_refsource_misc
https://github.com/xtr4nge/FruityWifi/issues/276
Exploit, Third Party Advisory x_refsource_misc
https://github.com/PatatasFritas/PatataWifi/issues/1
Exploit, Third Party Advisory x_refsource_misc
http://blog.51cto.com/010bjsoft/2175710

Scores

CVSS v3 9.8
EPSS 0.0431
EPSS Percentile 89.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (1)
fruitywifi_project/fruitywifi 2.1
Published Sep 21, 2018
Tracked Since Feb 18, 2026