Just found out that we have a new UI design of FW download center website: 
4 Likes
Looks really nice & professional, well done!
I love the information (and warning) about each firmware flavor.
But the “Router” vs “IOT” switch is hard to find.
1 Like
Its very responsive 
, i like the roadmap part aswell.
I don’t like it at all, I have to switch my phone browser to desktop mode to be able to use it and see all the elements 
1 Like
The new download center it’s definitely not made for mobile devices 
Interesting note on the new page, that you need to update to version 4.5 firmware. To bad that there is no 4.5 firmware available for any of the 6 different GL iNet router models I own. Guess I’m just out of luck.
1 Like
Clear your browser cache.
Okay, lets check on this one.
Please update to Ver. 4.5 to address critical security flaws in GL.iNet OpenWrt Routers.
Open communication, valid suggestion. GL.iNet is a company that needs to make money. They suggest to install the latest FW version, and to use the latest products.
If I where responsible for a company, I would take this statement and ask my CFO to release some money or an upgrade.
If I am a private person and don’t want to upgrade, because of reason … I’ll check the given Information:
CVE-2023-46456 - In GL.iNET GL-AR300M routers with firmware 3.216 it is possible to inject arbitrary shell commands through the OpenVPN client file upload functionality.
→ Don’t use untrusted OpenVPN configuration files. Maybe disable OpenVPN and switch to Wireguard, fine.
CVE-2023-46454 - In GL.iNET GL-AR300M routers with firmware v4.3.7, it is possible to inject arbitrary shell commands through a crafted package name in the package information functionality.
→ Don’t install packages from untrusted sources. Do you need extra packages on a Shadow?
CVE-2023-46455 - In GL.iNET GL-AR300M routers with firmware v4.3.7 it is possible to write arbitrary files through a path traversal attack in the OpenVPN client file upload functionality.
→ see CVE-2023-46456
CVE-2023-50919 - An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.
→ Nginx is the httpd service. So don’t open Port 80 or 443 to WAN!
→ Latest FW or Shadow: https://dl.gl-inet.com/router/ar300m/ 4.3.10, is later than 4.3.7!
CVE-2023-50920 - An issue was discovered on GL.iNet devices before version 4.5.0. They assign the same session ID after each user reboot, allowing attackers to share session identifiers between different sessions and bypass authentication or access control measures. Attackers can impersonate legitimate users or perform unauthorized actions. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.
→ Don’t let an attacker get hands on your Laptop/Mobile/Tablet and GL.iNet router! He could use your last session to … whatever. Maybe see your backuped pictures from SD Card.
→ Latest FW or Shadow: https://dl.gl-inet.com/router/ar300m/ 4.3.10, is later than 4.3.7!
I have not checked if the mentioned issues are listed in the change log between 4.3.7 and 4.3.10 … But I even don’t know if one of your 6 devices is a Shadow.
Will fix mobile browsing.
1 Like
Most of them aren’t critical anyway.
I checked them a month ago:
1 Like
For my devices that have 4.3.10 support, I think these issues are fixed. I feel that this note is in error and whoever posted this note at GL iNet should have done more research into what version of their own firmware fixes these issues.
Second point is the GL iNet firmware is in a state of chaos right now. Way too many versions, and everyone including GL iNet is confused. Older products still under support should have the same firmware, features and version number as newer products. There should be no second class products.
2 Likes