PT-2024-26481 · Totolink · Totolink Cp900L

Published

2024-05-28

Updated

2024-11-25

CVE-2024-35401

CVSS v3.1

5.9

Medium

Vector

AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions TOTOLINK CP900L version 4.1.5cu.798 B20221228

Description A command injection issue was found via the FileName parameter in the UploadFirmwareFile function. This allows for potential exploitation.

Recommendations For TOTOLINK CP900L version 4.1.5cu.798 B20221228, consider restricting access to the UploadFirmwareFile function until a patch is available. As a temporary workaround, avoid using the FileName parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2024-35401

Affected Products

Totolink Cp900L

PT-2024-26481 · Totolink · Totolink Cp900L

CVE-2024-35401

Weakness Enumeration

Related Identifiers

Affected Products

References · 6