This page lists publicly disclosed CVE vulnerabilities affecting gl-inet gl-mt2500a_firmware (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2023-31475 | An issue was discovered on GL.iNet devices before 3.216. The function guci2_get() found in libglutil.so has a buffer overflow when an item is requested from a UCI context, and the value is pasted into a char pointer to a buffer without checking the size of the buffer. | [email protected] | 9.8 | 13.74% | 2023-05-11 | 2026-06-17 |
| CVE-2023-31473 | An issue was discovered on GL.iNet devices before 3.216. There is an arbitrary file write in which an empty file can be created anywhere on the filesystem. This is caused by a command injection vulnerability with a filter applied. Through the software installation feature, it is possible to inject arbitrary parameters in a request to cause opkg to read an arbitrary file name while using root privileges. The -f option can be used with a configuration file. | [email protected] | 4.9 | 3.87% | 2023-05-11 | 2026-06-17 |
| CVE-2023-31477 | A path traversal issue was discovered on GL.iNet devices before 3.216. Through the file sharing feature, it is possible to share an arbitrary directory, such as /tmp or /etc, because there is no server-side restriction to limit sharing to the USB path. | [email protected] | 7.5 | 0.94% | 2023-05-10 | 2026-06-17 |
| CVE-2023-31471 | An issue was discovered on GL.iNet devices before 3.216. Through the software installation feature, it is possible to install arbitrary software, such as a reverse shell, because the restrictions on the available package list are limited to client-side verification. It is possible to install software from the filesystem, the package list, or a URL. | [email protected] | 9.8 | 1.05% | 2023-05-10 | 2026-06-17 |
| CVE-2023-31478 | An issue was discovered on GL.iNet devices before 3.216. An API endpoint reveals information about the Wi-Fi configuration, including the SSID and key. | [email protected] | 7.5 | 29.70% | 2023-05-09 | 2026-06-17 |
| CVE-2023-31474 | An issue was discovered on GL.iNet devices before 3.216. Through the software installation feature, it is possible to inject arbitrary parameters in a request to cause opkg to obtain a list of files in a specific directory, by using the regex feature in a package name. | [email protected] | 7.5 | 0.82% | 2023-05-09 | 2026-06-17 |
| CVE-2023-31472 | An issue was discovered on GL.iNet devices before 3.216. There is an arbitrary file write in which an empty file can be created anywhere on the filesystem. This is caused by a command injection vulnerability with a filter applied. | [email protected] | 7.5 | 19.88% | 2023-05-09 | 2026-06-17 |