| 제목 | Totolink A8000RU 7.1cu.643_b20200521 Command Injection |
|---|
| 설명 | A pre‑authentication OS command injection vulnerability exists in the `setIpQosRules` functionality exposed via the web management interface (`/cgi-bin/cstecgi.cgi`) of the TOTOLINK A8000RU 7.1cu.643_b20200521 router.
The CGI handler retrieves user‑controlled input from the HTTP parameter `comment`, embeds it directly into a shell command string using `sprintf`, and executes it via `CsteSystem()` without any sanitization or escaping. As a result, a remote attacker with network access to the web interface can inject arbitrary shell commands and execute them with root privileges on the device, without authentication.
|
|---|
| 원천 | ⚠️ https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_347/README.md |
|---|
| 사용자 | LtzHust (UID 95660) |
|---|
| 제출 | 2026. 04. 26. PM 12:43 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 24. AM 11:15 (28 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 365456 [Totolink A8000RU 7.1cu.643_b20200521 Web Management Interface /cgi-bin/cstecgi.cgi setIpQosRules 댓글 권한 상승] |
|---|
| 포인트들 | 20 |
|---|