| Title | TOTOLINK N300RH_V4 V6.1c.1353_B20190305 External Control of System or Configuration Setting |
|---|
| Description | The TOTOLINK N300RH V4 web management interface contains an External Control of File Name or Path vulnerability in the setUploadSetting handler within upgrade.so. The handler reads an attacker-controlled FileName parameter and passes it directly to unlink(), allowing arbitrary file deletion on the device filesystem. |
|---|
| Source | ⚠️ https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N300RHv4/03_setUploadSetting_ECFNP |
|---|
| User | xuanyu (UID 36103) |
|---|
| Submission | 04/16/2026 18:10 (3 months ago) |
|---|
| Moderation | 05/01/2026 16:34 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 360579 [Totolink N300RH 6.1c.1353_B20190305 /cgi-bin/cstecgi.cgi setUploadSetting FileName file inclusion] |
|---|
| Points | 19 |
|---|