PT-2020-14710 · Tenda · Tenda Ac15 Ac1900

Published

2020-07-23

Updated

2020-07-27

CVE-2020-15916

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Tenda AC15 AC1900 version 15.03.05.19

Description The issue concerns the "goform/AdvSetLanip" endpoint, which allows remote attackers to execute arbitrary system commands. This is achieved by injecting shell metacharacters into the lanIp POST parameter.

Recommendations For version 15.03.05.19, as a temporary workaround, consider restricting access to the "goform/AdvSetLanip" endpoint until a patch is available. Avoid using the lanIp parameter in the affected endpoint until the issue is resolved.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2020-15916

Affected Products

Tenda Ac15 Ac1900

PT-2020-14710 · Tenda · Tenda Ac15 Ac1900

CVE-2020-15916

Weakness Enumeration

Related Identifiers

Affected Products

References · 5