जमा करें #779140: Totolink A3300R 17.0.0cu.557_b20221024 Command Injectionजानकारी

शीर्षकTotolink A3300R 17.0.0cu.557_b20221024 Command Injection
विवरण The vulnerability resides within the router's shttpdservice. It allows a remote attacker to execute arbitrary operating system commands by sending a specially crafted network request. The technical root cause is a command injection flaw in the handling of user input: The attack vector is a user-supplied parameter named enable. The program flow reads this parameter in the sub_41458Cfunction and passes it to Uci_Set_Str. Subsequently, the value of the "enable" parameter is unsafely concatenated into a command string (variable v11) using snprintf. This crafted command string is then passed to the CsteSystemfunction, where it is ultimately executed by the execv()system call, leading to arbitrary command execution.
स्रोत⚠️ https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_enable_cmd_inject
उपयोगकर्ता
 LvHW (UID 96399)
सबमिशन13/03/2026 03:25 AM (4 महीनों पहले)
संयम29/03/2026 07:51 PM (17 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि354128 [Totolink A3300R 17.0.0cu.557_b20221024 /cgi-bin/cstecgi.cgi setUPnPCfg enable अधिकार वृद्धि]
अंक20

Do you want to use VulDB in your project?

Use the official API to access entries easily!