Tecno 4G Portable WiFi TR118 Ping Tool goform_get_cmd_process os command injection
CVE-2023-6304

8HIGH

Key Information:

Vendor
Tecno
Status
4G Portable WiFi TR118
Vendor
CVE Published:
27 November 2023

Summary

The Tecno 4G Portable WiFi TR118 is affected by a vulnerability in the Ping Tool component, specifically in the /goform/goform_get_cmd_process file. This flaw allows attackers to manipulate the 'url' argument, enabling OS command injection. The vulnerability can be exploited remotely, potentially compromising the device's security. Despite reaching out to the vendor prior to public disclosure, there was no response, raising concerns about the vulnerability's implications for users.

Affected Version(s)

4G Portable WiFi TR118 TR118-M30E-RR-D-EnFrArSwHaPo-OP-V008-20220830

References

https://vuldb.com/?id.246130
vdb-entrytechnical-description
https://vuldb.com/?ctiid.246130
signaturepermissions-required
https://drive.google.com/file/d/1DUSlAxTbNLBdv1aLUAn-tDMu...
exploit

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Allan Njuguna (VulDB User)
.