Yangyi

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3300R version 17.0.0cu.557 B20221024 **Description** A command injection issue was discovered via the `hostName` parameter in the `setWanCfg` function. This allows for potential exploitation. **Recommendations** For TOTOLINK A3300R version 17.0.0cu.557 B20221024, consider restricting access to the `setWanCfg` function until a patch is available. As a temporary workaround, avoid using the `hostName` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3300R version V17.0.0cu.557 B20221024 **Description** A command injection issue was discovered via the `tz` parameter in the `setNtpCfg` function, allowing for potential exploitation. **Recommendations** For TOTOLINK A3300R version V17.0.0cu.557 B20221024, consider restricting access to the `setNtpCfg` function until a patch is available. Avoid using the `tz` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3300R version 17.0.0cu.557 B20221024 **Description** A command injection issue was discovered via the `pass` parameter in the `setTr069Cfg` function. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For TOTOLINK A3300R version 17.0.0cu.557 B20221024, as a temporary workaround, consider restricting access to the `setTr069Cfg` function until a patch is available. Avoid using the `pass` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3300R version V17.0.0cu.557 B20221024 **Description** A command injection issue was discovered via the `username` parameter in the `setDdnsCfg` function. This allows for potential exploitation. **Recommendations** For TOTOLINK A3300R version V17.0.0cu.557 B20221024, consider restricting access to the `setDdnsCfg` function until a patch is available. Avoid using the `username` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3300R version V17.0.0cu.557 B20221024 **Description** A command injection issue was discovered via the `ip` parameter in the `setDmzCfg` function. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For TOTOLINK A3300R version V17.0.0cu.557 B20221024, consider restricting access to the `setDmzCfg` function to minimize the risk of exploitation. Avoid using the `ip` parameter in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTOLINK A3300R version V17.0.0cu.557 B20221024 **Description** A command injection issue was found via the `minute` parameter in the `setScheduleCfg` function. This allows for potential exploitation. **Recommendations** For TOTOLINK A3300R version V17.0.0cu.557 B20221024, consider restricting access to the `setScheduleCfg` function until a patch is available. As a temporary workaround, avoid using the `minute` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.