PT-2023-8496 · Totolink · Totolink A3700R
Published
2023-10-24
·
Updated
2023-12-31
·
CVE-2023-46574
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
TOTOLINK A3700R version 9.1.2u.6165 20211012
Description
An issue in the UploadFirmwareFile function allows a remote attacker to execute arbitrary code via the
FileName parameter. This is due to the lack of input data sanitization when processing the FileName parameter. Exploitation of this issue can allow a remote attacker to execute arbitrary code.Recommendations
For TOTOLINK A3700R version 9.1.2u.6165 20211012, as a temporary workaround, consider disabling the
UploadFirmwareFile function until a patch is available. Restrict access to the FileName parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Totolink A3700R