| 제목 | COMFAST CF-E4 (EC200A) 2.6.0.1 Command Injection |
|---|
| 설명 | A command injection vulnerability was discovered in the COMFAST CF-E4 (EC200A) WiFi router with firmware version V2.6.0.1. The issue exists within the processing of the ntp_timezone section via the /cgi-bin/mbox-config endpoint. By sending a crafted POST request with a malicious timestr parameter, an authenticated attacker can bypass input validation and execute arbitrary system commands as root. This occurs because the user-supplied input is directly concatenated into a shell command string. |
|---|
| 원천 | ⚠️ https://github.com/cha0yang1/COMFAST/blob/main/RCE.md |
|---|
| 사용자 | cha0yang (UID 94272) |
|---|
| 제출 | 2026. 01. 30. AM 06:21 (3 개월 ago) |
|---|
| 모더레이션 | 2026. 02. 15. AM 10:22 (16 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 346125 [Comfast CF-E4 2.6.0.1 HTTP POST Request mbox-config?method=SET§ion=ntp_timezone timestr 권한 상승] |
|---|
| 포인트들 | 20 |
|---|