Submit #806597: TOTOLINK N300RH_V4 V6.1c.1353_B20190305 External Control of System or Configuration Settinginfo

TitleTOTOLINK N300RH_V4 V6.1c.1353_B20190305 External Control of System or Configuration Setting
DescriptionThe TOTOLINK N300RH V4 web management interface contains an External Control of File Name or Path vulnerability in the setUploadSetting handler within upgrade.so. The handler reads an attacker-controlled FileName parameter and passes it directly to unlink(), allowing arbitrary file deletion on the device filesystem.
Source⚠️ https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N300RHv4/03_setUploadSetting_ECFNP
User
 xuanyu (UID 36103)
Submission04/16/2026 18:10 (3 months ago)
Moderation05/01/2026 16:34 (15 days later)
StatusAccepted
VulDB entry360579 [Totolink N300RH 6.1c.1353_B20190305 /cgi-bin/cstecgi.cgi setUploadSetting FileName file inclusion]
Points19

Want to stay up to date on a daily basis?

Enable the mail alert feature now!