| عنوان | Totolink A8000RU 7.1cu.643_b20200521 Command Injection |
|---|
| الوصف | A pre‑authentication OS command injection vulnerability exists in the `setL2tpServerCfg` functionality exposed via the web management interface (`/cgi-bin/cstecgi.cgi`) of the TOTOLINK A8000RU 7.1cu.643_b20200521 router.
The CGI handler retrieves user‑controlled input from the HTTP parameter `enable`, embeds it directly into a shell command string using `sprintf`, and executes it via `CsteSystem()` without any sanitization or escaping. As a result, a remote attacker with network access to the web interface can inject arbitrary shell commands and execute them with root privileges on the device, without authentication.
|
|---|
| المصدر | ⚠️ https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_350/README.md |
|---|
| المستخدم | LtzHust2 (UID 95662) |
|---|
| ارسال | 26/04/2026 12:46 PM (1 شهر منذ) |
|---|
| الاعتدال | 24/05/2026 11:15 AM (28 days later) |
|---|
| الحالة | مكرر |
|---|
| إدخال VulDB | 365417 [Totolink A8000RU 7.1cu.643_b20200521 Web Management Interface /cgi-bin/cstecgi.cgi setL2tpServerCfg enable تجاوز الصلاحيات] |
|---|
| النقاط | 0 |
|---|