| عنوان | Trendnet TEW-821DAP v1.12B01 CWE-78 Improper Neutralization of Special Elements used in an O |
|---|
| الوصف | During the firmware udpate process, there is command injection vulnerability in the function tools_diagnostic of program ssi. The tools_diagnostic performs traceroute-based network diagnostic and saves the result to /tmp/diagnostic. The IP address is stored in variable s and is used as the parameter of traceroute-based network diagnostic command. The IP address is input by the users. The web page performs regular expression validation on the IP address and pass it to ssi through AJAX POST request. However, in the regular expression validation, there is no validation on shell metacharacters such as ;, |, and $. Therefore, the hackers could perform malicious command injection on IP address. This issue in the firmware update process of Trendnet TEW-821DAP (firmware version:v1.12B01) allows attackers to execute arbitrary code or cause denial of service via constructing POST request that contains malicious command. |
|---|
| المصدر | ⚠️ https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_CI2.md |
|---|
| المستخدم | IOT_Res (UID 81722) |
|---|
| ارسال | 16/04/2026 04:36 AM (2 أشهر منذ) |
|---|
| الاعتدال | 01/05/2026 02:07 PM (15 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 360566 [TRENDnet TEW-821DAP حتى 1.12B01 Firmware Udpate /tmp/diagnostic tools_diagnostic تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|