PT-2022-11891 · Totolink · Totolink Ex200

Published

2022-01-04

Updated

2022-01-12

CVE-2021-43711

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions TOTOLINK EX200 version 4.0.3c.7646 B20201211

Description The downloadFlile.cgi binary file has a command injection vulnerability when receiving GET parameters. The parameter name can be constructed for unauthenticated command execution.

Recommendations For TOTOLINK EX200 version 4.0.3c.7646 B20201211, as a temporary workaround, consider restricting access to the downloadFlile.cgi binary file until a patch is available. Avoid using constructed parameter names in GET requests to the affected binary file.

Exploit

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2021-43711

Affected Products

Totolink Ex200

PT-2022-11891 · Totolink · Totolink Ex200

CVE-2021-43711

Weakness Enumeration

Related Identifiers

Affected Products

References · 5