Command Injection Vulnerability in TOTOLINK X5000R Router
CVE-2024-32354

6MEDIUM

Key Information:

Vendor: TOTOLINK
Status: X5000r Firmware
Vendor: CVE Published:; 14 May 2024

What is CVE-2024-32354?

The TOTOLINK X5000R is susceptible to a command injection vulnerability. This weakness arises from improper handling of the 'timeout' parameter in the setSSServer function located at /cgi-bin/cstecgi.cgi. By manipulating this parameter, an attacker could potentially execute arbitrary commands on the device. This vulnerability poses a risk to the security and integrity of the network environment, making it essential for users to evaluate their system configurations and apply necessary mitigations.

References

https://www.totolink.net/

https://github.com/1s1and123/Vulnerabilities/blob/main/de...

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2024