CVE-2023-38933

Name of the Vulnerable Software and Affected Versions Tenda AC6 version 2.0 V15.03.06.23 Tenda AC7 version 1.0 V15.03.06.44 Tenda F1203 version 2.0.1.6 Tenda AC5 version 1.0 V15.03.06.28 Tenda FH1203 version 2.0.1.6 Tenda AC9 version 3.0 V15.03.06.42 multi Tenda FH1205 version 2.0.0.7(775)

Description The issue is related to a stack overflow in the formSetClientState function when handling the deviceId parameter. This can allow a remote attacker to execute arbitrary code or cause a denial of service.

Recommendations For Tenda AC6 version 2.0 V15.03.06.23, consider disabling the formSetClientState function until a patch is available. For Tenda AC7 version 1.0 V15.03.06.44, consider disabling the formSetClientState function until a patch is available. For Tenda F1203 version 2.0.1.6, consider disabling the formSetClientState function until a patch is available. For Tenda AC5 version 1.0 V15.03.06.28, consider disabling the formSetClientState function until a patch is available. For Tenda FH1203 version 2.0.1.6, consider disabling the formSetClientState function until a patch is available. For Tenda AC9 version 3.0 V15.03.06.42 multi, consider disabling the formSetClientState function until a patch is available. For Tenda FH1205 version 2.0.0.7(775), consider disabling the formSetClientState function until a patch is available. As a temporary workaround, avoid using the deviceId parameter in the affected function until the issue is resolved.