CVE-2024-7331

Name of the Vulnerable Software and Affected Versions TOTOLINK A3300R version 17.0.0cu.557 B20221024

Description A critical issue was found in the UploadCustomModule function of the /cgi-bin/cstecgi.cgi file, which can be exploited remotely. The manipulation of the File argument leads to a buffer overflow. This can allow an attacker to impact the confidentiality, integrity, and availability of protected information by sending a specially crafted POST request to the "/cgi-bin/cstecgi.cgi" endpoint. The exploit has been disclosed to the public.

Recommendations For TOTOLINK A3300R version 17.0.0cu.557 B20221024, as a temporary workaround, consider disabling the UploadCustomModule function until a patch is available. Restrict access to the /cgi-bin/cstecgi.cgi file to minimize the risk of exploitation. Avoid using the File argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.