PT-2024-2554 · Tenda · Tenda Ac10

Published

2024-03-28

Updated

2025-03-17

CVE-2024-30612

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Tenda AC10U version 15.03.06.48

Description The issue is related to a stack overflow vulnerability in the formSetClientState function, specifically affecting the deviceId, limitSpeed, and limitSpeedUp parameters. This vulnerability can be exploited by a remote attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerable function is associated with the /goform/SetClientState API endpoint.

Recommendations For Tenda AC10U version 15.03.06.48, consider disabling the formSetClientState function until a patch is available. Restrict access to the /goform/SetClientState API endpoint to minimize the risk of exploitation. Avoid using the deviceId, limitSpeed, and limitSpeedUp parameters in the affected API endpoint until the issue is resolved.

Exploit

Fix

Stack Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-121

Related Identifiers

BDU:2024-02562

CVE-2024-30612

Affected Products

Tenda Ac10

PT-2024-2554 · Tenda · Tenda Ac10

CVE-2024-30612

Weakness Enumeration

Related Identifiers

Affected Products

References · 8