PT-2023-25807 · Totolink · Totolink Lr350
Publicado
2023-07-07
·
Atualizado
2023-07-12
·
CVE-2023-37149
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
TOTOLINK LR350 version 9.3.5u.6369 B20220309
Description
A command injection issue was discovered via the
FileName parameter in the setUploadSetting function. This allows for potential command injection attacks.Recommendations
For TOTOLINK LR350 version 9.3.5u.6369 B20220309, consider disabling the
setUploadSetting function until a patch is available to prevent exploitation via the FileName parameter. Restrict access to this function to minimize the risk of command injection attacks. Avoid using the FileName parameter in the affected function until the issue is resolved.Exploit
Correção
Command Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Totolink Lr350