| 제목 | Totolink T8 V4.1.5cu.833_20220905 Broken Access Control |
|---|
| 설명 | V4.1.5cu.833_20220905 of the device allows remote attackers to obtain Wi-Fi system information and modify system-related settings without logging in via port 80, path /cgi-bin/cstecgi.cgi, parameter topicurl.
This version does not verify that the administrator is logged in, so the attacker does not need to bring in the cookie obtained after the administrator has logged in, and can directly obtain the Wi-Fi SSID and Wi-Fi password.
Sending a request to modify the system settings without bringing in any cookies can modify the system settings, in a normal and secure situation it must be verified that the cookies are brought in after the administrator has logged in.
Totolink indicates the vulnerability has been fully patched in version 4.1.5cu.862_B20230228 and the latest patched version can be downloaded at https://download.totolink.tw/uploads/firmware/T8/TOTOLINK_T8_V4.1.5cu.862_B20230228.zip
|
|---|
| 원천 | ⚠️ https://drive.google.com/file/d/1WSWrGEKUkvPk8hq1VRng-wbR7T6CknGY/view?usp=sharing |
|---|
| 사용자 | lin7lic (UID 39301) |
|---|
| 제출 | 2024. 01. 08. AM 02:24 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 01. 16. AM 08:06 (8 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 250785 [Totolink T8 4.1.5cu.833_20220905 Setting /cgi-bin/cstecgi.cgi getSysStatusCfg ssid/key 정보 공개] |
|---|
| 포인트들 | 20 |
|---|