OS Command Injection Vulnerability in TOTOLINK X5000r Product
CVE-2024-42742

8.8HIGH

Key Information:

Vendor: Totolink
Status: X5000r Firmware
Vendor: CVE Published:; 12 August 2024

Summary

The TOTOLINK X5000r router is vulnerable due to an OS command injection flaw in the /cgi-bin/cstecgi.cgi component. Specifically, the issue arises within the setUrlFilterRules function, allowing authenticated attackers to exploit the vulnerability by crafting malicious packets. Successful exploitation can lead to the execution of arbitrary commands, posing significant risks to the device and potentially compromising its integrity and confidentiality.

References

https://github.com/HouseFuzz/reports/blob/main/totolink/x...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 12, 2024

Collectors

NVD DatabaseMitre Database