CVE-2024-0535

Name of the Vulnerable Software and Affected Versions Tenda PA6 version 1.0.1.21

Description The issue is related to a stack-based buffer overflow in the cgiPortMapAdd function of the Tenda PA6's httpd component, specifically in the /portmap file. This can be exploited through the manipulation of the groupName argument, allowing a remote attacker to execute arbitrary code. The vulnerability can also be exploited through the type and s f name parameters. The attack can be launched remotely.

Recommendations For Tenda PA6 version 1.0.1.21, as a temporary workaround, consider disabling the cgiPortMapAdd function until a patch is available. Restrict access to the /portmap file of the httpd component to minimize the risk of exploitation. Avoid using the groupName argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.