Zz2266

**Name of the Vulnerable Software and Affected Versions** COMFAST CF-XR11 version V2.7.2 **Description** A command injection issue exists in the multi pppoe API, processed by the `sub 423930` function. The `phy interface` parameter is not sanitized, allowing attackers to inject arbitrary commands via a POST request to `/cgi-bin/mbox-config?method=SET&section=multi pppoe`. Specifically, when the `action` parameter is set to "one click redial", the unsanitized `phy interface` is used in a `system()` call, enabling execution of malicious commands. This can lead to unauthorized access to sensitive files, execution of arbitrary code, or full device compromise. **Recommendations** As a temporary workaround, consider disabling the multi pppoe API until a patch is available. Restrict access to the `/cgi-bin/mbox-config` endpoint to minimize the risk of exploitation. Avoid using the `action` parameter with the value "one click redial" until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Tenda AC6 router firmware version 15.03.05.19 **Description** The Tenda AC6 router firmware contains a command injection issue in the `formSetIptv` function. This function handles requests to the `/goform/SetIPTVCfg` web interface. The `list` and `vlanId` parameters are processed by the `sub ADBC0` helper function, which concatenates these values into commands executed by `doSystemCmd` without proper validation. This allows an unauthenticated or authenticated attacker to execute arbitrary system commands on the device by submitting a crafted POST request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.