CVE-2024-34218

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions TOTOLINK CP450 versions 4.1.0cu.747 B20191224

Description The issue is related to the NTPSyncWithHost function of the Request Handler component in the TOTOLINK CP450 router's firmware, which fails to properly sanitize data at the management level. This can be exploited by a remote attacker to execute arbitrary commands via the hostTime parameter.

Recommendations For version 4.1.0cu.747 B20191224, consider disabling the NTPSyncWithHost function as a temporary workaround until a patch is available. Restrict access to the hostTime parameter in the affected API endpoint to minimize the risk of exploitation.

Exploit

Fix

Improper Neutralization

Special Elements Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-707CWE-74CWE-77

Related Identifiers

BDU:2024-04035

CVE-2024-34218

Affected Products

Totolink Cp450

CVE-2024-34218

Weakness Enumeration

Related Identifiers

Affected Products

References · 5