Lin7Lic

**Name of the Vulnerable Software and Affected Versions** Totolink T8 version 4.1.5cu.833 20220905 **Description** A vulnerability was found in the file /cgi-bin/cstecgi.cgi of the Totolink T8, which is related to incorrect session expiration. The manipulation of this issue can lead to session expiration. The attack may be launched remotely, with a rather high complexity of attack and difficult exploitation. The exploit has been disclosed to the public and may be used. **Recommendations** As a temporary workaround, consider restricting access to the /cgi-bin/cstecgi.cgi file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Totolink N200RE V5 version 9.3.5u.6255 B20211224 **Description** The issue is related to the `/cgi-bin/cstecgi.cgi` file in the Totolink N200RE router's firmware, specifically concerning incorrect session expiration. This can allow a remote attacker to disclose protected information. The manipulation of an unknown function in the file leads to session expiration, and it is possible to launch the attack remotely. **Recommendations** For Totolink N200RE V5 version 9.3.5u.6255 B20211224, consider restricting access to the `/cgi-bin/cstecgi.cgi` file as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Totolink N350RT version 9.3.5u.6255 **Description** The issue is related to the `/cgi-bin/cstecgi.cgi` file in the Totolink N350RT router's firmware, which is associated with incorrect session expiration. This can be exploited by a remote attacker to disclose protected information. The attack complexity is rather high, and the exploitation appears to be difficult. **Recommendations** For Totolink N350RT version 9.3.5u.6255, as a temporary workaround, consider restricting access to the `/cgi-bin/cstecgi.cgi` file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Totolink N350RT version 9.3.5u.6265 **Description** A critical vulnerability was found in the Setting Handler component, affecting unknown code of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls, and the attack can be initiated remotely. **Recommendations** Upgrade the affected component to a newer version to resolve the issue. As a temporary workaround, consider restricting access to the /cgi-bin/cstecgi.cgi file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Totolink T8 version 4.1.5cu.833 20220905 **Description** A problematic vulnerability has been found in the Totolink T8, affecting the `getSysStatusCfg` function of the `/cgi-bin/cstecgi.cgi` file in the Setting Handler component. The manipulation of the `ssid/key` argument leads to information disclosure. This issue can be exploited remotely. **Recommendations** For Totolink T8 version 4.1.5cu.833 20220905, upgrade to version 4.1.5cu.862 B20230228 to address this issue. As a temporary workaround, consider restricting access to the `/cgi-bin/cstecgi.cgi` file or disabling the `getSysStatusCfg` function until the update is applied. Avoid using the `ssid/key` argument in the affected component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Totolink N200RE V5 version V9.3.5u.6255 B20211224 **Description** The issue allows remote attackers to obtain Wi-Fi system information, such as Wi-Fi SSID and Wi-Fi password, without logging into the management page due to Incorrect Access Control. **Recommendations** For Totolink N200RE V5 version V9.3.5u.6255 B20211224, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Totolink T6 version 4.1.9cu.5241 B20210923 **Description** A vulnerability has been found in the Totolink T6, affecting an unknown part of the file /cgi-bin/cstecgi.cgi. The manipulation of the `topicurl` argument with the input `showSyslog` leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This issue is related to insufficient access control in the mesh system's software. **Recommendations** For Totolink T6 version 4.1.9cu.5241 B20210923, as a temporary workaround, consider restricting access to the `/cgi-bin/cstecgi.cgi` file until a patch is available. Avoid using the `topicurl` argument with the input `showSyslog` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK N200RE version 9.3.5u.6255 B20211224 **Description** A problematic vulnerability has been found in the Telnet Service component of the TOTOLINK N200RE, affecting an unknown function of the file /squashfs-root/etc ro/custom.conf. The manipulation leads to exposure of passwords in the configuration file. This issue can be exploited locally. The vulnerability is related to the use of an unstable cryptographic algorithm in configuration files, which may allow an attacker to gain unauthorized access to protected information. **Recommendations** For TOTOLINK N200RE version 9.3.5u.6255 B20211224, consider disabling the Telnet Service or restricting access to the /squashfs-root/etc ro/custom.conf file as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** YAFNET versions up to 3.1.11 **Description** A vulnerability was found in the Signature Handler component of YAFNET, which can lead to cross-site scripting. The attack may be initiated remotely. The issue affects some unknown processing of this component. **Recommendations** For YAFNET versions up to 3.1.11, upgrade to version 3.1.12 to address this issue.

**Name of the Vulnerable Software and Affected Versions** YAFNET versions up to 3.1.10 **Description** A problematic issue has been found in the Private Message Handler component, affecting the processing of the file /forum/PostPrivateMessage. The manipulation of the `subject` and `message` arguments leads to cross-site scripting. The attack can be initiated remotely. **Recommendations** For YAFNET versions up to 3.1.10, upgrade to version 3.1.11 to address this issue. As a temporary workaround, consider restricting access to the /forum/PostPrivateMessage file until the upgrade is applied.