Command Injection Vulnerability in TOTOLINK CP900L
CVE-2024-35401

5.9MEDIUM

Key Information:

Vendor: TOTOLINK
Status: Cp900l Firmware
Vendor: CVE Published:; 28 May 2024

Summary

The TOTOLINK CP900L device has a vulnerability that permits command injection through the FileName parameter in the UploadFirmwareFile function. This flaw could be exploited to execute arbitrary commands, potentially compromising network security and integrity. Such vulnerabilities are critical to address to maintain robust defenses against unauthorized access and exploitation in IoT environments.

References

http://totolink.com

https://github.com/s4ndw1ch136/IOT-vuln-reports/blob/main...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 28, 2024