Pix-Link LV-WR21Q Router Denial-of-Service Vulnerability in Language Module

A denial-of-service vulnerability has been identified in the Pix-Link LV-WR21Q router, specifically in the language module. This issue allows remote attackers to disrupt the functionality of the administrator panel by sending a crafted HTTP POST request with a non-existent language parameter. The server fails to deliver the correct 'lang.js' file, causing the administrator panel to malfunction. This disruption continues until the language settings are manually corrected. Notably, this denial-of-service condition impacts only the administrator panel, leaving other router functions unaffected. While the vendor was informed about this vulnerability, they did not provide details regarding the affected version range. The vulnerability has been confirmed on version V108_108, but other versions may also be susceptible.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition on the router's administrator panel, causing it to become unresponsive until the language settings are manually reverted to a correct value.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to the router's language module endpoint with a non-existing language parameter. This will cause the server to fail in delivering the appropriate 'lang.js' file, disrupting the functionality of the administrator panel.