CVE-2024-3879

Name of the Vulnerable Software and Affected Versions: Tenda W30E version 1.0.1.25(633)

Description: A critical issue was found in the function formSetCfm of the file "/goform/setcfm". The manipulation of the argument funcpara1 leads to a stack-based buffer overflow. It is possible to initiate the attack remotely.

Recommendations: Tenda W30E version 1.0.1.25(633): Update the firmware to a version that fixes the issue in the formSetCfm function, ensuring that the funcpara1 argument is properly validated to prevent stack-based buffer overflow. As a temporary workaround, consider disabling the formSetCfm function until a patch is available. Restrict access to the "/goform/setcfm" endpoint to minimize the risk of exploitation. Avoid using the argument funcpara1 in the affected API endpoint until the issue is resolved.