Yongjie Zheng

Name of the Vulnerable Software and Affected Versions: Tenda G1 and G3 routers version v15.11.0.17(9502) CN Description: A buffer overflow issue allows remote attackers to execute arbitrary code via a crafted action/"qosIndex " request. This occurs because the `formQOSRuleDel` function directly passes the parameter `qosIndex` to `strcpy` without limit. Recommendations: For Tenda G1 and G3 routers version v15.11.0.17(9502) CN, as a temporary workaround, consider disabling the `formQOSRuleDel` function until a patch is available. Restrict access to the API endpoint that handles the "qosIndex" request to minimize the risk of exploitation. Avoid using the parameter `qosIndex` in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Tenda G1 and G3 routers version V15.11.0.17(9502) CN Description: The issue allows remote attackers to execute arbitrary code via a crafted `action/"IPMacBindIndex"` request. This occurs because the `formIPMacBindDel` function directly passes the parameter `IPMacBindIndex` to `strcpy` without limit. Recommendations: For Tenda G1 and G3 routers version V15.11.0.17(9502) CN, as a temporary workaround, consider disabling the `formIPMacBindDel` function until a patch is available. Restrict access to the `IPMacBindIndex` parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Tenda G1 and G3 routers version v15.11.0.17(9502) CN Description: The issue allows remote attackers to execute arbitrary code via a crafted action/"portMappingIndex" request. This occurs because the `formDelPortMapping` function directly passes the parameter `portMappingIndex` to strcpy without limit. Recommendations: For Tenda G1 and G3 routers version v15.11.0.17(9502) CN, as a temporary workaround, consider restricting access to the `formDelPortMapping` function until a patch is available. Avoid using the parameter `portMappingIndex` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: TOTOLINK X5000R version v9.1.0u.6118 B20201102 TOTOLINK A720R version v4.1.5cu.470 B20200911 Description: The issue allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because a function executes glibc's system function with untrusted input. The `command` parameter is directly passed to the attacker, allowing them to control the `command` field and attack the OS. Recommendations: For TOTOLINK X5000R version v9.1.0u.6118 B20201102, consider disabling the function that executes the system command with untrusted input until a patch is available. For TOTOLINK A720R version v4.1.5cu.470 B20200911, restrict access to the `command` parameter in the affected HTTP request to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: TOTOLINK X5000R version v9.1.0u.6118 B20201102 TOTOLINK A720R version v4.1.5cu.470 B20200911 Description: The issue allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because a function executes glibc's system function with untrusted input. The `ip` parameter is directly passed to the attacker, allowing them to control the `ip` field and attack the OS. Recommendations: For TOTOLINK X5000R version v9.1.0u.6118 B20201102, consider disabling the function that executes glibc's system function with untrusted input until a patch is available. For TOTOLINK A720R version v4.1.5cu.470 B20200911, restrict access to the `ip` parameter in the affected HTTP request to minimize the risk of exploitation.