How severe is CVE-2023-31473?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.9 out of 10.

What type of vulnerability is CVE-2023-31473?

This is classified as CWE-77, which is a common weakness in software security.

CVE-2023-31473 - MEDIUM Severity | CVSS 4.9

Vulnerability Description

An issue was discovered on GL.iNet devices before 3.216. There is an arbitrary file write in which an empty file can be created anywhere on the filesystem. This is caused by a command injection vulnerability with a filter applied. Through the software installation feature, it is possible to inject arbitrary parameters in a request to cause opkg to read an arbitrary file name while using root privileges. The -f option can be used with a configuration file.

Related Vulnerabilities

CVE-2019-3913

MEDIUM

CVSS:4.9(Medium)

Command manipulation in LabKey Server Community Edition before 18.3.0-61806.763 allows an authenticated remote attacker to unmount any drive on the system leading to denial of service.

CWE-772019

CVE-2018-19013

MEDIUM

CVSS:5.0(Medium)

An attacker could inject commands to delete files and/or delete the contents of a file on CX-Supervisor (Versions 3.42 and prior) through a specially crafted project file.

CWE-772018

CVE-2022-35954

MEDIUM

CVSS:5.0(Medium)

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The `core.exportVariable` function uses a well known delimiter that attackers can use to break out of that specif...

CWE-772022

CVE-2024-28135

MEDIUM

CVSS:5.0(Medium)

A low privileged remote attacker can use a command injection vulnerability in the API which performs remote code execution as the user-app user due to improper input validation. The confidentiality is...

CWE-772024

CVE-2025-5030

LOW

CVSS:5.0(Medium)

A vulnerability was found in Ackites KillWxapkg up to 2.4.1. It has been declared as critical. This vulnerability affects the function processFile of the file internal/unpack/unpack.go of the componen...

CWE-772025

CVE-2021-33515

MEDIUM

CVSS:4.8(Medium)

The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address.

CWE-772021