Buffer Overflow in TOTOLINK A3600R Device Management
CVE-2024-7174

8.8HIGH

Key Information:

Vendor: TOTOLINK
Status: A3600r Firmware
Vendor: CVE Published:; 29 July 2024

Summary

A significant buffer overflow vulnerability has been identified in the TOTOLINK A3600R, specifically within the function setdeviceName located in the cstecgi.cgi script. This flaw arises when improper validation is applied to the input parameters deviceMac and deviceName, enabling attackers to manipulate these arguments and execute arbitrary code remotely. Despite early disclosure to the vendor, no response has been received regarding a fix or patch, leaving users of this model at risk of exploitation. The vulnerability underscores the necessity for diligent security practices in device management systems.

References

https://vuldb.com/?id.272595

https://vuldb.com/?ctiid.272595

https://vuldb.com/?submit.378041

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 29, 2024