PT-2023-8533 · Totolink · Totolink Ex1200T
Published
2023-12-22
·
Updated
2024-01-03
·
CVE-2023-51035
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
TOTOLINK EX1200L version 9.3.5u.6146 B20201023
Description
The issue concerns the NTPSyncWithHost function in the cstecgi.cgi file of the TOTOLINK EX1200L router's firmware. It allows for arbitrary command execution due to the lack of proper sanitization of special elements used in the operating system command. This could enable a remote attacker to execute arbitrary code.
Recommendations
For TOTOLINK EX1200L version 9.3.5u.6146 B20201023, consider disabling access to the "cstecgi.cgi" interface, specifically the NTPSyncWithHost function, until a patch is available. Restrict access to this interface to minimize the risk of exploitation. Avoid using the NTPSyncWithHost function in the affected API endpoint until the issue is resolved.
Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Totolink Ex1200T