### [CVE-2024-39790](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39790)
![](https://img.shields.io/static/v1?label=Product&message=Wavlink%20AC3000&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=M33A8.V5030.210505%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-15%3A%20External%20Control%20of%20System%20or%20Configuration%20Setting&color=brightgreen)

### Description

Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.A configuration injection vulnerability exists within the `ftp_max_sessions` POST parameter.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds