| タイトル | Totolink A8000RU 7.1cu.643_b20200521 Command Injection |
|---|
| 説明 | A pre‑authentication OS command injection vulnerability exists in the `setWiFiWpsCfg` functionality exposed via the web management interface (`/cgi-bin/cstecgi.cgi`) of the TOTOLINK A8000RU 7.1cu.643_b20200521 router.
The CGI handler retrieves user‑controlled input from the HTTP parameter `wscDisabled`, embeds it directly into a shell command string using `sprintf`, and executes it via `CsteSystem()` without any sanitization or escaping. As a result, a remote attacker with network access to the web interface can inject arbitrary shell commands and execute them with root privileges on the device, without authentication. |
|---|
| ソース | ⚠️ https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_355/README.md |
|---|
| ユーザー | LtzHuster2 (UID 96397) |
|---|
| 送信 | 2026年04月27日 08:01 (1 月 ago) |
|---|
| モデレーション | 2026年05月24日 09:07 (27 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 365415 [Totolink A8000RU 7.1cu.643_b20200521 Web Management Interface /cgi-bin/cstecgi.cgi setWiFiWpsCfg wscDisabled 特権昇格] |
|---|
| ポイント | 20 |
|---|