Filtered by vendor Totolink
Subscribe
Search
Total
266 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6612 | 1 Totolink | 2 X5000r, X5000r Firmware | 2023-12-12 | N/A | 9.8 CRITICAL |
| A vulnerability was found in Totolink X5000R 9.1.0cu.2300_B20230112. It has been rated as critical. This issue affects the function setDdnsCfg/setDynamicRoute/setFirewallType/setIPSecCfg/setIpPortFilterRules/setLancfg/setLoginPasswordCfg/setMacFilterRules/setMtknatCfg/setNetworkConfig/setPortForwardRules/setRemoteCfg/setSSServer/setScheduleCfg/setSmartQosCfg/setStaticDhcpRules/setStaticRoute/setVpnAccountCfg/setVpnPassCfg/setVpnUser/setWiFiAclAddConfig/setWiFiEasyGuestCfg/setWiFiGuestCfg/setWiFiRepeaterConfig/setWiFiScheduleCfg/setWizardCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to os command injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247247. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-48860 | 1 Totolink | 2 N300rt, N300rt Firmware | 2023-12-12 | N/A | 9.8 CRITICAL |
| TOTOLINK N300RT version 3.2.4-B20180730.0906 has a post-authentication RCE due to incorrect access control, allows attackers can bypass front-end security restrictions and execute arbitrary code. | |||||
| CVE-2023-48859 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2023-12-12 | N/A | 8.8 HIGH |
| TOTOLINK A3002RU version 2.0.0-B20190902.1958 has a post-authentication RCE due to incorrect access control, allows attackers to bypass front-end security restrictions and execute arbitrary code. | |||||
| CVE-2023-48800 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-07 | N/A | 9.8 CRITICAL |
| In TOTOLINK X6000R_Firmware V9.4.0cu.852_B20230719, the shttpd file sub_417338 function obtains fields from the front-end, connects them through the snprintf function, and passes them to the CsteSystem function, resulting in a command execution vulnerability. | |||||
| CVE-2023-48799 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-07 | N/A | 9.8 CRITICAL |
| TOTOLINK-X6000R Firmware-V9.4.0cu.852_B20230719 is vulnerable to Command Execution. | |||||
| CVE-2023-48811 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-07 | N/A | 9.8 CRITICAL |
| In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function that when passed to the CsteSystem function creates a command execution vulnerability. | |||||
| CVE-2023-48810 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-07 | N/A | 9.8 CRITICAL |
| In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability. | |||||
| CVE-2023-48812 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-07 | N/A | 9.8 CRITICAL |
| In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function that when passed to the CsteSystem function creates a command execution vulnerability. | |||||
| CVE-2023-48808 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-07 | N/A | 9.8 CRITICAL |
| In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability. | |||||
| CVE-2023-48807 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-07 | N/A | 9.8 CRITICAL |
| In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability. | |||||
| CVE-2023-48806 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-07 | N/A | 9.8 CRITICAL |
| In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability. | |||||
| CVE-2023-48805 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-07 | N/A | 9.8 CRITICAL |
| In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability. | |||||
| CVE-2023-48804 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-07 | N/A | 9.8 CRITICAL |
| In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability. | |||||
| CVE-2023-48801 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-06 | N/A | 9.8 CRITICAL |
| In TOTOLINK X6000R_Firmware V9.4.0cu.852_B20230719, the shttpd file sub_415534 function obtains fields from the front-end, connects them through the snprintf function, and passes them to the CsteSystem function, resulting in a command execution vulnerability. | |||||
| CVE-2023-48803 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-06 | N/A | 9.8 CRITICAL |
| In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability. | |||||
| CVE-2023-43454 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-06 | N/A | 9.8 CRITICAL |
| An issue in TOTOLINK X6000R V9.4.0cu.652_B20230116 and V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the hostName parameter of the switchOpMode component. | |||||
| CVE-2023-43455 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-06 | N/A | 9.8 CRITICAL |
| An issue in TOTOLINK X6000R V9.4.0cu.652_B20230116 and V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the command parameter of the setting/setTracerouteCfg component. | |||||
| CVE-2023-43453 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-06 | N/A | 9.8 CRITICAL |
| An issue in TOTOLINK X6000R V9.4.0cu.652_B20230116 and V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the IP parameter of the setDiagnosisCfg component. | |||||
| CVE-2023-48802 | 1 Totolink | 2 X6000r, X6000r Firmware | 2023-12-06 | N/A | 9.8 CRITICAL |
| In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability. | |||||
| CVE-2023-48192 | 1 Totolink | 2 A3700r, A3700r Firmware | 2023-11-29 | N/A | 7.8 HIGH |
| An issue in TOTOlink A3700R v.9.1.2u.6134_B20201202 allows a local attacker to execute arbitrary code via the setTracerouteCfg function. | |||||
| CVE-2023-39618 | 1 Totolink | 2 X5000r, X5000r Firmware | 2023-08-25 | N/A | 9.8 CRITICAL |
| TOTOLINK X5000R B20210419 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg interface. | |||||
| CVE-2023-39617 | 1 Totolink | 2 X5000r, X5000r Firmware | 2023-08-25 | N/A | 9.8 CRITICAL |
| TOTOLINK X5000R_V9.1.0cu.2089_B20211224 and X5000R_V9.1.0cu.2350_B20230313 were discovered to contain a remote code execution (RCE) vulnerability via the lang parameter in the setLanguageCfg function. | |||||
| CVE-2023-4410 | 1 Totolink | 2 Ex1200l, Ex1200l Firmware | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023. This affects the function setDiagnosisCfg. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-237513 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-4412 | 1 Totolink | 2 Ex1200l, Ex1200l Firmware | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability was found in TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023 and classified as critical. This issue affects the function setWanCfg. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-237515. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-4411 | 1 Totolink | 2 Ex1200l, Ex1200l Firmware | 2023-08-23 | N/A | 9.8 CRITICAL |
| A vulnerability has been found in TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023 and classified as critical. This vulnerability affects the function setTracerouteCfg. The manipulation leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-237514 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-40042 | 1 Totolink | 2 T10 V2, T10 V2 Firmware | 2023-08-11 | N/A | 9.8 CRITICAL |
| TOTOLINK T10_v2 5.9c.5061_B20200511 has a stack-based buffer overflow in setStaticDhcpConfig in /lib/cste_modules/lan.so. Attackers can send crafted data in an MQTT packet, via the comment parameter, to control the return address and execute code. | |||||
| CVE-2023-40041 | 1 Totolink | 2 T10 V2, T10 V2 Firmware | 2023-08-11 | N/A | 9.8 CRITICAL |
| TOTOLINK T10_v2 5.9c.5061_B20200511 has a stack-based buffer overflow in setWiFiWpsConfig in /lib/cste_modules/wps.so. Attackers can send crafted data in an MQTT packet, via the pin parameter, to control the return address and execute code. | |||||
| CVE-2022-44251 | 1 Totolink | 2 Lr350, Lr350 Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the ussd parameter in the setUssd function. | |||||
| CVE-2022-40475 | 1 Totolink | 2 A860r, A860r Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| TOTOLINK A860R V4.1.2cu.5182_B20201027 was discovered to contain a command injection via the component /cgi-bin/downloadFile.cgi. | |||||
| CVE-2022-48066 | 1 Totolink | 2 A830r, A830r Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| An issue in the component global.so of Totolink A830R V4.1.2cu.5182 allows attackers to bypass authentication via a crafted cookie. | |||||
| CVE-2022-48067 | 1 Totolink | 2 A830r, A830r Firmware | 2023-08-08 | N/A | 5.5 MEDIUM |
| An information disclosure vulnerability in Totolink A830R V4.1.2cu.5182 allows attackers to obtain the root password via a brute-force attack. | |||||
| CVE-2022-44249 | 1 Totolink | 2 Lr350, Lr350 Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the FileName parameter in the UploadFirmwareFile function. | |||||
| CVE-2022-44843 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the port parameter in the setting/setOpenVpnClientCfg function. | |||||
| CVE-2021-42888 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setLanguageCfg of the file global.so which can control langType to attack. | |||||
| CVE-2022-37078 | 1 Totolink | 2 A7000r, A7000r Firmware | 2023-08-08 | N/A | 7.8 HIGH |
| TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the lang parameter at /setting/setLanguageCfg. | |||||
| CVE-2022-38535 | 1 Totolink | 2 A720r, A720r Firmware | 2023-08-08 | N/A | 7.2 HIGH |
| TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg function. | |||||
| CVE-2021-42884 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setDeviceName of the file global.so which can control thedeviceName to attack. | |||||
| CVE-2022-41518 | 1 Totolink | 2 Nr1800x, Nr1800x Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a command injection vulnerability via the UploadFirmwareFile function at /cgi-bin/cstecgi.cgi. | |||||
| CVE-2022-38828 | 1 Totolink | 2 T6, T6 Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to command injection via cstecgi.cgi | |||||
| CVE-2021-42893 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| In TOTOLINK EX1200T V4.1.2cu.5215, an attacker can obtain sensitive information (wifikey, etc.) without authorization through getSysStatusCfg. | |||||
| CVE-2022-38826 | 1 Totolink | 2 T6, T6 Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| In TOTOLINK T6 V4.1.5cu.709_B20210518, there is an execute arbitrary command in cstecgi.cgi. | |||||
| CVE-2021-42875 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2023-08-08 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in the function setDiagnosisCfg of the file lib/cste_modules/system.so to control the ipDoamin. | |||||
| CVE-2022-26207 | 1 Totolink | 12 A3000ru, A3000ru Firmware, A3100r and 9 more | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDiagnosisCfg, via the ipDoamin parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-26209 | 1 Totolink | 12 A3000ru, A3000ru Firmware, A3100r and 9 more | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUploadSetting, via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-26208 | 1 Totolink | 12 A3000ru, A3000ru Firmware, A3100r and 9 more | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setWebWlanIdx, via the webWlanIdx parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-26212 | 1 Totolink | 12 A3000ru, A3000ru Firmware, A3100r and 9 more | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDeviceName, via the deviceMac and deviceName parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-26213 | 1 Totolink | 2 X5000r, X5000r Firmware | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Totolink X5000R_Firmware v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function setNtpCfg, via the tz parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-26211 | 1 Totolink | 12 A3000ru, A3000ru Firmware, A3100r and 9 more | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function CloudACMunualUpdate, via the deviceMac and deviceName parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-27003 | 1 Totolink | 4 A7000r, A7000r Firmware, X5000r and 1 more | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6rd function via the relay6rd parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-27004 | 1 Totolink | 4 A7000r, A7000r Firmware, X5000r and 1 more | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6in4 function via the remote6in4 parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||