cvedb.io
CVE-2023-31473
MEDIUM · CVSS 4.9
EPSS exploitation probability: 0%
Published 2023-05-11T11:15:09.100 · Last modified 2026-06-17T05:57:03.333

Summary

An issue was discovered on GL.iNet devices before 3.216. There is an arbitrary file write in which an empty file can be created anywhere on the filesystem. This is caused by a command injection vulnerability with a filter applied. Through the software installation feature, it is possible to inject arbitrary parameters in a request to cause opkg to read an arbitrary file name while using root privileges. The -f option can be used with a configuration file.

Affected products

gl-inet — gl-s20_firmware

Does this affect you?

Add your gear to cvedb and we'll alert you only when gl-inet ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.