Am1Ngl

**Name of the Vulnerable Software and Affected Versions** TOTOLink A7100RU version V7.4cu.2313 B20191024 **Description** The issue is related to the lack of input data sanitization in the `staticGw` function of the TOTOLink A7100RU router's firmware. This allows a remote attacker to exploit the vulnerability and execute arbitrary code. The vulnerability is specifically a command injection issue via the `staticGw` parameter at the "/setting/setWanIeCfg" API endpoint. **Recommendations** For TOTOLink A7100RU version V7.4cu.2313 B20191024, as a temporary workaround, consider disabling the `staticGw` function until a patch is available. Restrict access to the "/setting/setWanIeCfg" API endpoint to minimize the risk of exploitation. Avoid using the `staticGw` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A7100RU version 7.4cu.2313 B20191024 **Description** The issue is a Command Injection vulnerability. An attacker can obtain a stable root shell through a specially constructed payload. **Recommendations** For TOTOLINK A7100RU version 7.4cu.2313 B20191024, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `org` parameter at the "setting/delStaticDhcpRules" endpoint. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the "setting/delStaticDhcpRules" endpoint until a patch is available. Avoid using the `org` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was found via the `pppoeAcName` parameter at the "/setting/setWanIeCfg" API endpoint. **Recommendations** For version 7.4cu.2313 B20191024, avoid using the `pppoeAcName` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version V7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `wanStrategy` parameter at the "/setting/setWanIeCfg" API endpoint. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version V7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the "/setting/setWanIeCfg" API endpoint to minimize the risk of exploitation. Avoid using the `wanStrategy` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version V7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `downBw` parameter at the "/setting/setWanIeCfg" API endpoint. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version V7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the "/setting/setWanIeCfg" API endpoint to minimize the risk of exploitation. Avoid using the `downBw` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version V7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `upBw` parameter at the "/setting/setWanIeCfg" API endpoint. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For TOTOlink A7100RU version V7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the "/setting/setWanIeCfg" API endpoint to minimize the risk of exploitation. Avoid using the `upBw` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A7100RU version V7.4cu.2313 B20191024 **Description** The issue is related to Command Injection. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For TOTOLINK A7100RU version V7.4cu.2313 B20191024, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was discovered in the router, specifically via the `ou` parameter at the "/setting/delStaticDhcpRules" API endpoint. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, consider restricting access to the "/setting/delStaticDhcpRules" API endpoint to minimize the risk of exploitation. Avoid using the `ou` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version V7.4cu.2313 B20191024 **Description** The issue is related to a command injection vulnerability. This vulnerability can be exploited via the `enabled` parameter at the "/setting/setWanIeCfg" API endpoint. The vulnerability allows a remote attacker to execute arbitrary commands. **Recommendations** For TOTOlink A7100RU version V7.4cu.2313 B20191024, as a temporary workaround, consider disabling access to the "/setting/setWanIeCfg" API endpoint until a patch is available. Restrict the use of the `enabled` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `province` parameter at the "setting/delStaticDhcpRules" endpoint. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, consider restricting access to the "setting/delStaticDhcpRules" endpoint to minimize the risk of exploitation. Avoid using the `province` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version V7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `city` parameter at the "setting/delStaticDhcpRules" endpoint. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For TOTOlink A7100RU version V7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the "setting/delStaticDhcpRules" endpoint to minimize the risk of exploitation. Avoid using the `city` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A7100RU version V7.4cu.2313 B20191024 **Description** The issue is related to a lack of input data sanitization in the settings/delStaticDhcpRules file of the TOTOLINK A7100RU router's firmware, allowing a remote attacker to execute arbitrary commands via a command injection vulnerability. The vulnerability can be exploited through the `country` parameter at the "setting/delStaticDhcpRules" endpoint. **Recommendations** For TOTOLINK A7100RU version V7.4cu.2313 B20191024, consider disabling access to the `setting/delStaticDhcpRules` endpoint until a patch is available. Restrict the use of the `country` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was found via the `dayvalid` parameter in the `setting/delStaticDhcpRules` function. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, avoid using the `dayvalid` parameter in the affected function until the issue is resolved. As a temporary workaround, consider restricting access to the `setting/delStaticDhcpRules` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was found via the `rsabits` parameter in the `setting/delStaticDhcpRules` function. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the `setting/delStaticDhcpRules` function until a patch is available. Avoid using the `rsabits` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was found via the `username` parameter in the `setting/setOpenVpnCertGenerationCfg` function. This allows for potential command injection attacks. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the `setting/setOpenVpnCertGenerationCfg` function until a patch is available. Avoid using the `username` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `FileName` parameter in the `setting/setOpenVpnCertGenerationCfg` function. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, consider restricting access to the `setting/setOpenVpnCertGenerationCfg` function to minimize the risk of exploitation. Avoid using the `FileName` parameter in this function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was found via the `servername` parameter in the `setting/delStaticDhcpRules` function. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, consider restricting access to the `setting/delStaticDhcpRules` function until a patch is available. Avoid using the `servername` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Nome do software vulnerável e versões afetadas** TOTOlink A7100RU versão 7.4cu.2313 B20191024 **Descrição** O problema está relacionado a uma vulnerabilidade de injeção de comando no serviço httpd do firmware do roteador TOTOlink A7100RU. Essa vulnerabilidade permite que um invasor execute comandos arbitrários enviando uma carga útil especialmente criada, o que pode levar o invasor a obter um shell root estável. A vulnerabilidade se deve à falta de sanitização adequada de elementos especiais, que podem ser explorados por um invasor remoto. **Recomendações** Para o TOTOlink A7100RU versão 7.4cu.2313 B20191024, considere desativar o serviço httpd até que um patch esteja disponível para impedir a exploração da vulnerabilidade de injeção de comando. Restrinja o acesso à interface web do roteador para minimizar o risco de exploração. Evite usar a interface web do roteador para operações críticas até que o problema seja resolvido. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.