Command Injection in TOTOLINK CA300-PoE Product by TOTOLINK
CVE-2023-24145

9.8CRITICAL

Key Information:

Vendor: Totolink
Status: Ca300-poe Firmware
Vendor: CVE Published:; 3 February 2023

Summary

The TOTOLINK CA300-PoE product is affected by a command injection vulnerability found in the setUnloadUserData function, specifically through the plugin_version parameter. This security flaw could potentially allow attackers to execute arbitrary commands on the affected device, compromising the security of the entire network. Timely updates and patches are essential to mitigate this risk.

References

https://github.com/Double-q1015/CVE-vulns/blob/main/totol...

EPSS Score

31% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 3, 2023
Vulnerability Reserved
Jan 23, 2023