Command Injection Vulnerability in Tenda W18E Router
CVE-2023-46370

9.8CRITICAL

Key Information:

Vendor: Tenda
Status: W18e Firmware
Vendor: CVE Published:; 25 October 2023

Summary

The Tenda W18E router, specifically version V16.01.0.8(1576), contains a command injection vulnerability that exploits the hostName parameter within the formSetNetCheckTools function. This flaw could allow unauthorized access to execute arbitrary commands, posing significant security risks for users. Proper validation and sanitization measures are essential to mitigate such vulnerabilities in network devices.

References

https://github.com/Archerber/bug_submit/blob/main/Tenda/W...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 25, 2023
Vulnerability Reserved
Oct 23, 2023