CVE-2024-10195

A vulnerability was found in Tecno 4G Portable WiFi TR118 V008-20220830. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /goform/goform_get_cmd_process of the component SMS Check. The manipulation of the argument order_by leads to sql injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
References
Link Resource
https://asciinema.org/a/2mwkmDqRZfeAYTu5hHre1r4QB Broken Link
https://vuldb.com/?ctiid.280969 Permissions Required
https://vuldb.com/?id.280969 Permissions Required
https://vuldb.com/?submit.422994 Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:tecno-mobile:4g_portable_wifi_tr118_firmware:v008-20220830:*:*:*:*:*:*:*
cpe:2.3:h:tecno-mobile:4g_portable_wifi_tr118:-:*:*:*:*:*:*:*

History

24 Oct 2024, 14:28

Type Values Removed Values Added
First Time Tecno-mobile
Tecno-mobile 4g Portable Wifi Tr118 Firmware
Tecno-mobile 4g Portable Wifi Tr118
CPE cpe:2.3:o:tecno-mobile:4g_portable_wifi_tr118_firmware:v008-20220830:*:*:*:*:*:*:*
cpe:2.3:h:tecno-mobile:4g_portable_wifi_tr118:-:*:*:*:*:*:*:*
CVSS v2 : 5.8
v3 : 4.7
v2 : 5.8
v3 : 9.8
References () https://asciinema.org/a/2mwkmDqRZfeAYTu5hHre1r4QB - () https://asciinema.org/a/2mwkmDqRZfeAYTu5hHre1r4QB - Broken Link
References () https://vuldb.com/?ctiid.280969 - () https://vuldb.com/?ctiid.280969 - Permissions Required
References () https://vuldb.com/?id.280969 - () https://vuldb.com/?id.280969 - Permissions Required
References () https://vuldb.com/?submit.422994 - () https://vuldb.com/?submit.422994 - Third Party Advisory

21 Oct 2024, 17:09

Type Values Removed Values Added
Summary
  • (es) Se ha detectado una vulnerabilidad en Tecno 4G Portable WiFi TR118 V008-20220830. Se ha declarado como crítica. Esta vulnerabilidad afecta a una funcionalidad desconocida del archivo /goform/goform_get_cmd_process del componente SMS Check. La manipulación del argumento order_by conduce a una inyección SQL. El ataque se puede lanzar de forma remota. Se contactó al proveedor con anticipación sobre esta revelación, pero no respondió de ninguna manera.

20 Oct 2024, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-20 09:15

Updated : 2024-10-24 14:28


NVD link : CVE-2024-10195

Mitre link : CVE-2024-10195

CVE.ORG link : CVE-2024-10195


JSON object : View

Products Affected

tecno-mobile

  • 4g_portable_wifi_tr118_firmware
  • 4g_portable_wifi_tr118
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')