Gửi #779140: Totolink A3300R 17.0.0cu.557_b20221024 Command Injectionthông tin

tiêu đềTotolink A3300R 17.0.0cu.557_b20221024 Command Injection
Mô tả The vulnerability resides within the router's shttpdservice. It allows a remote attacker to execute arbitrary operating system commands by sending a specially crafted network request. The technical root cause is a command injection flaw in the handling of user input: The attack vector is a user-supplied parameter named enable. The program flow reads this parameter in the sub_41458Cfunction and passes it to Uci_Set_Str. Subsequently, the value of the "enable" parameter is unsafely concatenated into a command string (variable v11) using snprintf. This crafted command string is then passed to the CsteSystemfunction, where it is ultimately executed by the execv()system call, leading to arbitrary command execution.
Nguồn⚠️ https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_enable_cmd_inject
Người dùng
 LvHW (UID 96399)
Đệ trình13/03/2026 03:25 (cách đây 4 các tháng)
Kiểm duyệt29/03/2026 19:51 (17 days later)
Trạng tháiđược chấp nhận
Mục VulDB354128 [Totolink A3300R 17.0.0cu.557_b20221024 /cgi-bin/cstecgi.cgi setUPnPCfg enable nâng cao đặc quyền]
điểm20

Might our Artificial Intelligence support you?

Check our Alexa App!