Am1Ngl

**Name of the Vulnerable Software and Affected Versions** TOTOLink A7100RU version V7.4cu.2313 B20191024 **Description** The issue is related to the lack of input data sanitization in the `staticGw` function of the TOTOLink A7100RU router's firmware. This allows a remote attacker to exploit the vulnerability and execute arbitrary code. The vulnerability is specifically a command injection issue via the `staticGw` parameter at the "/setting/setWanIeCfg" API endpoint. **Recommendations** For TOTOLink A7100RU version V7.4cu.2313 B20191024, as a temporary workaround, consider disabling the `staticGw` function until a patch is available. Restrict access to the "/setting/setWanIeCfg" API endpoint to minimize the risk of exploitation. Avoid using the `staticGw` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A7100RU version 7.4cu.2313 B20191024 **Description** The issue is a Command Injection vulnerability. An attacker can obtain a stable root shell through a specially constructed payload. **Recommendations** For TOTOLINK A7100RU version 7.4cu.2313 B20191024, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `org` parameter at the "setting/delStaticDhcpRules" endpoint. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the "setting/delStaticDhcpRules" endpoint until a patch is available. Avoid using the `org` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was found via the `pppoeAcName` parameter at the "/setting/setWanIeCfg" API endpoint. **Recommendations** For version 7.4cu.2313 B20191024, avoid using the `pppoeAcName` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version V7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `wanStrategy` parameter at the "/setting/setWanIeCfg" API endpoint. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version V7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the "/setting/setWanIeCfg" API endpoint to minimize the risk of exploitation. Avoid using the `wanStrategy` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version V7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `downBw` parameter at the "/setting/setWanIeCfg" API endpoint. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version V7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the "/setting/setWanIeCfg" API endpoint to minimize the risk of exploitation. Avoid using the `downBw` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version V7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `upBw` parameter at the "/setting/setWanIeCfg" API endpoint. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For TOTOlink A7100RU version V7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the "/setting/setWanIeCfg" API endpoint to minimize the risk of exploitation. Avoid using the `upBw` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A7100RU version V7.4cu.2313 B20191024 **Description** The issue is related to Command Injection. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For TOTOLINK A7100RU version V7.4cu.2313 B20191024, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was discovered in the router, specifically via the `ou` parameter at the "/setting/delStaticDhcpRules" API endpoint. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, consider restricting access to the "/setting/delStaticDhcpRules" API endpoint to minimize the risk of exploitation. Avoid using the `ou` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version V7.4cu.2313 B20191024 **Description** The issue is related to a command injection vulnerability. This vulnerability can be exploited via the `enabled` parameter at the "/setting/setWanIeCfg" API endpoint. The vulnerability allows a remote attacker to execute arbitrary commands. **Recommendations** For TOTOlink A7100RU version V7.4cu.2313 B20191024, as a temporary workaround, consider disabling access to the "/setting/setWanIeCfg" API endpoint until a patch is available. Restrict the use of the `enabled` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `province` parameter at the "setting/delStaticDhcpRules" endpoint. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, consider restricting access to the "setting/delStaticDhcpRules" endpoint to minimize the risk of exploitation. Avoid using the `province` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version V7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `city` parameter at the "setting/delStaticDhcpRules" endpoint. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For TOTOlink A7100RU version V7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the "setting/delStaticDhcpRules" endpoint to minimize the risk of exploitation. Avoid using the `city` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A7100RU version V7.4cu.2313 B20191024 **Description** The issue is related to a lack of input data sanitization in the settings/delStaticDhcpRules file of the TOTOLINK A7100RU router's firmware, allowing a remote attacker to execute arbitrary commands via a command injection vulnerability. The vulnerability can be exploited through the `country` parameter at the "setting/delStaticDhcpRules" endpoint. **Recommendations** For TOTOLINK A7100RU version V7.4cu.2313 B20191024, consider disabling access to the `setting/delStaticDhcpRules` endpoint until a patch is available. Restrict the use of the `country` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was found via the `dayvalid` parameter in the `setting/delStaticDhcpRules` function. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, avoid using the `dayvalid` parameter in the affected function until the issue is resolved. As a temporary workaround, consider restricting access to the `setting/delStaticDhcpRules` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was found via the `rsabits` parameter in the `setting/delStaticDhcpRules` function. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the `setting/delStaticDhcpRules` function until a patch is available. Avoid using the `rsabits` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was found via the `username` parameter in the `setting/setOpenVpnCertGenerationCfg` function. This allows for potential command injection attacks. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, as a temporary workaround, consider restricting access to the `setting/setOpenVpnCertGenerationCfg` function until a patch is available. Avoid using the `username` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was discovered via the `FileName` parameter in the `setting/setOpenVpnCertGenerationCfg` function. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, consider restricting access to the `setting/setOpenVpnCertGenerationCfg` function to minimize the risk of exploitation. Avoid using the `FileName` parameter in this function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** A command injection issue was found via the `servername` parameter in the `setting/delStaticDhcpRules` function. This allows for potential exploitation. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, consider restricting access to the `setting/delStaticDhcpRules` function until a patch is available. Avoid using the `servername` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** TOTOlink A7100RU version 7.4cu.2313 B20191024 **Description** The issue is related to a Command Injection Vulnerability in the httpd service of the TOTOlink A7100RU router's firmware. This vulnerability allows an attacker to execute arbitrary commands by sending a specially constructed payload, potentially leading to the attacker obtaining a stable root shell. The vulnerability is due to the lack of proper sanitization of special elements, which can be exploited by a remote attacker. **Recommendations** For TOTOlink A7100RU version 7.4cu.2313 B20191024, consider disabling the httpd service until a patch is available to prevent exploitation of the Command Injection Vulnerability. Restrict access to the router's web interface to minimize the risk of exploitation. Avoid using the router's web interface for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.