Kazamayc

#9677of 53,632
28.6Total CVSS
Vulnerabilities · 3
High
1
Critical
2
PT-2023-24358
8.8
2023-05-31
Totolink · Totolink X5000R · CVE-2023-33485
**Name of the Vulnerable Software and Affected Versions** TOTOLINK X5000R versions V9.1.0u.6118 B20201102 through V9.1.0u.6369 B20230113 **Description** The issue is a post-authentication buffer overflow that occurs via the `sPort`/`ePort` parameter in the `addEffect` function. **Recommendations** For TOTOLINK X5000R versions V9.1.0u.6118 B20201102 through V9.1.0u.6369 B20230113, consider disabling the `addEffect` function as a temporary workaround until a patch is available. Restrict access to the `sPort` and `ePort` parameters in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2023-24360
9.8
2023-05-31
Totolink · Totolink X5000R · CVE-2023-33487
**Name of the Vulnerable Software and Affected Versions** TOTOLINK X5000R versions V9.1.0u.6118 B20201102 through V9.1.0u.6369 B20230113 **Description** The issue concerns a command insertion vulnerability in the `setDiagnosisCfg` function. This vulnerability allows an attacker to execute arbitrary commands through the `ip` parameter. **Recommendations** For TOTOLINK X5000R versions V9.1.0u.6118 B20201102 through V9.1.0u.6369 B20230113, consider restricting access to the `setDiagnosisCfg` function to minimize the risk of exploitation. Avoid using the `ip` parameter in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2023-6552
10
2023-05-05
Totolink · Totolink X5000R · CVE-2023-30013
**Name of the Vulnerable Software and Affected Versions** TOTOLINK X5000R versions V9.1.0u.6118 B20201102 through V9.1.0u.6369 B20230113 **Description** The issue concerns a command insertion vulnerability in the `setting/setTracerouteCfg` component of the TOTOLINK X5000R router's firmware. This vulnerability allows an attacker to execute arbitrary commands through the `command` parameter, potentially leading to full access to the device. The vulnerability exists due to the lack of measures to neutralize special elements used in the operating system command. **Recommendations** For TOTOLINK X5000R versions V9.1.0u.6118 B20201102 through V9.1.0u.6369 B20230113, consider disabling the `setting/setTracerouteCfg` component or restricting access to it until a patch is available. Avoid using the `command` parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.