| Title | Totolink A3300R V17.0.0cu.557_B20221024 OS Command Injection |
|---|
| Description | The stun_user parameter in /cgi-bin/cstecgi.cgi (topicurl=setTr069Cfg) is vulnerable to command injection. User input is inserted into the command execution chain (Uci_Set_Str -> command build -> CsteSystem/execv) without adequate sanitization. An authenticated attacker can inject shell syntax to execute arbitrary commands on the target device. |
|---|
| Source | ⚠️ https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-user-cmd-injection |
|---|
| User | HustBinary (UID 96916) |
|---|
| Submission | 03/30/2026 13:28 (9 days ago) |
|---|
| Moderation | 04/06/2026 12:23 (7 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 355506 [Totolink A3300R 17.0.0cu.557_B20221024 /cgi-bin/cstecgi.cgi vsetTr069Cfg stun_pass os command injection] |
|---|
| Points | 0 |
|---|