Tecno 4G Portable WiFi TR118 Vulnerability: Remote SQL Injection Attack Possible
CVE-2024-10195

9.8CRITICAL

Key Information:

Vendor
Tecno
Status
4g Portable Wifi Tr118
Vendor
CVE Published:
20 October 2024

Summary

A vulnerability in the Tecno 4G Portable WiFi TR118 has been identified, specifically within the SMS Check component, which is accessible through the /goform/goform_get_cmd_process file. This flaw allows for SQL injection attacks due to improper handling of the 'order_by' argument, enabling potential attackers to compromise the system remotely. Despite early notifications to the vendor, there has been no response regarding mitigation of this security issue, raising concerns about consumer safety and data integrity.

Affected Version(s)

4G Portable WiFi TR118 V008-20220830

References

https://vuldb.com/?id.280969
vdb-entrytechnical-description
https://vuldb.com/?ctiid.280969
signaturepermissions-required
https://vuldb.com/?submit.422994
third-party-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Allan Njuguna (VulDB User)
.