CVE-2024-42736

In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in addBlacklist. Authenticated Attackers can send malicious packet to execute arbitrary commands.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/HouseFuzz/reports/blob/main/totolink/x5000r/addBlacklist/addBlacklist.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:totolink:x5000r_firmware:9.1.0cu.2350_b20230313:*:*:*:*:*:*:*

cpe:2.3:h:totolink:x5000r:-:*:*:*:*:*:*:*

History

04 Apr 2025, 14:35

Type	Values Removed	Values Added
CPE		cpe:2.3:o:totolink:x5000r_firmware:9.1.0cu.2350_b20230313:::::::* cpe:2.3:h:totolink:x5000r:-:::::::*
Summary		(es) En TOTOLINK X5000r v9.1.0cu.2350_b20230313, el archivo /cgi-bin/cstecgi.cgi contiene una vulnerabilidad de inyección de comandos del sistema operativo en addBlacklist. Los atacantes autenticados pueden enviar paquetes maliciosos para ejecutar comandos arbitrarios.
First Time		Totolink Totolink x5000r Firmware Totolink x5000r
References	~~() https://github.com/HouseFuzz/reports/blob/main/totolink/x5000r/addBlacklist/addBlacklist.md -~~	() https://github.com/HouseFuzz/reports/blob/main/totolink/x5000r/addBlacklist/addBlacklist.md - Exploit, Third Party Advisory

13 Aug 2024, 16:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CWE		CWE-78

13 Aug 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-13 14:15

Updated : 2025-04-04 14:35

NVD link : CVE-2024-42736

Mitre link : CVE-2024-42736

CVE.ORG link : CVE-2024-42736

JSON object : View

Products Affected

totolink

x5000r_firmware
x5000r

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2024-42736", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-08-13T14:15:13.160", "references": [{"url": "https://github.com/HouseFuzz/reports/blob/main/totolink/x5000r/addBlacklist/addBlacklist.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in addBlacklist. Authenticated Attackers can send malicious packet to execute arbitrary commands."}, {"lang": "es", "value": "En TOTOLINK X5000r v9.1.0cu.2350_b20230313, el archivo /cgi-bin/cstecgi.cgi contiene una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en addBlacklist. Los atacantes autenticados pueden enviar paquetes maliciosos para ejecutar comandos arbitrarios."}], "lastModified": "2025-04-04T14:35:31.433", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:totolink:x5000r_firmware:9.1.0cu.2350_b20230313:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AA390FB2-CCD9-4861-84D6-88CAA9DF57F3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:totolink:x5000r:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BC45BFB0-0CF0-4F9E-B19D-D274B17F1591"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}

7.8 /10