Yanggao017

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A6000R version V1.0.1-B20201211.2000 **Description** A command injection issue was discovered via the `opmode` parameter in the `action reboot` function. This allows for potential exploitation. **Recommendations** For TOTOLINK A6000R version V1.0.1-B20201211.2000, as a temporary workaround, consider restricting access to the `action reboot` function until a patch is available. Avoid using the `opmode` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Linksys E7350 version 1.1.00.032 **Description** A command injection issue was discovered via the `ifname` parameter in the `apcli cancel wps` function. This allows for potential exploitation. **Recommendations** For Linksys E7350 version 1.1.00.032, consider disabling the `apcli cancel wps` function until a patch is available to prevent command injection via the `ifname` parameter. Restrict access to the vulnerable function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linksys E7350 version 1.1.00.032 **Description** A command injection issue was discovered via the `ifname` parameter in the `apcli do enr pbc wps` function. This allows for potential exploitation. **Recommendations** For Linksys E7350 version 1.1.00.032, consider disabling the `apcli do enr pbc wps` function until a patch is available. Avoid using the `ifname` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linksys E7350 version 1.1.00.032 **Description** A command injection issue was discovered via the `ifname` parameter in the `apcli do enr pin wps` function. This allows for potential exploitation. **Recommendations** For Linksys E7350 version 1.1.00.032, as a temporary workaround, consider restricting access to the `apcli do enr pin wps` function until a patch is available. Avoid using the `ifname` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A6000R version V1.0.1-B20201211.2000 **Description** A command injection issue was discovered, affecting the `reset wifi` function through the `devname` parameter. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For TOTOLINK A6000R version V1.0.1-B20201211.2000, consider disabling the `reset wifi` function until a patch is available to prevent exploitation via the `devname` parameter. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linksys E7350 version 1.1.00.032 **Description** A command injection issue was discovered via the `devname` parameter in the `reset wifi` function. This allows for potential exploitation. **Recommendations** For Linksys E7350 version 1.1.00.032, consider disabling the `reset wifi` function until a patch is available to prevent command injection via the `devname` parameter. Restrict access to the `reset wifi` function to minimize the risk of exploitation. Avoid using the `devname` parameter in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A6000R version V1.0.1-B20201211.2000 **Description** The issue is related to the `cmd` parameter in the `webcmd` function of the TOTOLINK A6000R router's firmware, which fails to neutralize special elements used in the operating system command. This can be exploited by a remote attacker to execute arbitrary code by sending a specially crafted command. **Recommendations** For version V1.0.1-B20201211.2000, as a temporary workaround, consider disabling the `webcmd` function until a patch is available. Restrict access to the `cmd` parameter in the `webcmd` function to minimize the risk of exploitation. Avoid using the `cmd` parameter in the affected `webcmd` function until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: TOTOLINK A6000R version 1.0.1-B20201211.2000 Description: The issue is related to a command injection vulnerability in the `apcli do enr pbc wps` function. This vulnerability is associated with the failure to neutralize special elements used in the operating system command. The exploitation of this issue may allow a remote attacker to execute arbitrary code by sending a specially crafted command. The `ifname` parameter is specifically mentioned as the vulnerable parameter in this context. Recommendations: For TOTOLINK A6000R version 1.0.1-B20201211.2000, as a temporary workaround, consider disabling the `apcli do enr pbc wps` function until a patch is available. Restrict access to the vulnerable `ifname` parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A6000R version 1.0.1-B20201211.2000 **Description** The issue is related to a command injection vulnerability in the `apcli do enr pin wps` function, specifically via the `ifname` parameter. This vulnerability can be exploited by a remote attacker to execute arbitrary commands. The vulnerability is caused by the lack of proper sanitization of special elements used in the command when processing the `ifname` parameter. **Recommendations** For TOTOLINK A6000R version 1.0.1-B20201211.2000, consider disabling the `apcli do enr pin wps` function until a patch is available to prevent exploitation of the command injection vulnerability via the `ifname` parameter. Restrict access to the vulnerable function to minimize the risk of exploitation. Avoid using the `ifname` parameter in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: TOTOLINK A6000R version V1.0.1-B20201211.2000 Description: The issue is related to the apcli wps gen pincode function in the TOTOLINK A6000R router's firmware, which fails to neutralize special elements used in a command when processing the `ifname` parameter. This can allow a remote attacker to execute arbitrary commands. Recommendations: For TOTOLINK A6000R version V1.0.1-B20201211.2000, consider disabling the `apcli wps gen pincode` function until a patch is available to prevent exploitation via the `ifname` parameter. Restrict access to the vulnerable function to minimize the risk of exploitation. Avoid using the `ifname` parameter in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: TOTOLINK A6000R version V1.0.1-B20201211.2000 Description: The issue is related to the `get apcli conn info` function in the TOTOLINK A6000R router's firmware, which fails to neutralize special elements used in an OS command. This can be exploited by a remote attacker to execute arbitrary code by sending a specially crafted command. The vulnerability is specifically related to the `ifname` parameter in the `get apcli conn info` function. Recommendations: For TOTOLINK A6000R version V1.0.1-B20201211.2000, consider disabling the `get apcli conn info` function until a patch is available to prevent exploitation. Additionally, restrict access to the `ifname` parameter to minimize the risk of command injection attacks.

Name of the Vulnerable Software and Affected Versions: TOTOLINK A6000R version V1.0.1-B20201211.2000 Description: The issue is related to the `apcli cancel wps` function in the TOTOLINK A6000R router's firmware, which fails to neutralize special elements used in an operating system command. This can be exploited by a remote attacker to execute arbitrary code by sending a specially crafted command. The vulnerability is specifically related to the `ifname` parameter in the `apcli cancel wps` function. Recommendations: For TOTOLINK A6000R version V1.0.1-B20201211.2000, consider disabling the `apcli cancel wps` function until a patch is available to prevent exploitation via the `ifname` parameter. Restrict access to the vulnerable function to minimize the risk of arbitrary code execution. Avoid using the `ifname` parameter in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: TOTOLINK A6000R version V1.0.1-B20201211.2000 Description: A command injection issue exists due to the lack of neutralization of special elements used in the operating system command. This issue is related to the `vif disable` function and can be exploited via the `iface` parameter, allowing a remote attacker to execute arbitrary commands. Recommendations: For TOTOLINK A6000R version V1.0.1-B20201211.2000, consider disabling the `vif disable` function as a temporary workaround until a patch is available. Restrict access to the `iface` parameter in the affected function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** lua-shmem version 1.0-1 **Description** A buffer overflow issue was discovered in lua-shmem via the `shmem write` function. **Recommendations** For lua-shmem version 1.0-1, consider disabling the `shmem write` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** luci-app-sms-tool version 1.9-6 **Description** A command injection issue was found in luci-app-sms-tool via the `score` parameter. **Recommendations** For luci-app-sms-tool version 1.9-6, avoid using the `score` parameter until a fix is available. Consider restricting access to the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** luci-app-lucky version 2.8.3 **Description** The issue is related to hardcoded credentials in the software. **Recommendations** For luci-app-lucky version 2.8.3, update to a version where the hardcoded credentials issue is resolved, if available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.