CVE-2024-7171

A vulnerability classified as critical has been found in TOTOLINK A3600R 4.1.2cu.5182_B20201102. Affected is the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument hostTime leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272592. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:totolink:a3600r_firmware:4.1.2cu.5182_b20201102:*:*:*:*:*:*:*
cpe:2.3:h:totolink:a3600r:-:*:*:*:*:*:*:*

History

21 Nov 2024, 09:51

Type Values Removed Values Added
CVSS v2 : 6.5
v3 : 8.8
v2 : 6.5
v3 : 6.3
References () https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/A3600R/NTPSyncWithHost.md - Exploit () https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/A3600R/NTPSyncWithHost.md - Exploit
References () https://vuldb.com/?ctiid.272592 - Third Party Advisory () https://vuldb.com/?ctiid.272592 - Third Party Advisory
References () https://vuldb.com/?id.272592 - Third Party Advisory () https://vuldb.com/?id.272592 - Third Party Advisory
References () https://vuldb.com/?submit.378038 - Third Party Advisory () https://vuldb.com/?submit.378038 - Third Party Advisory

08 Aug 2024, 12:39

Type Values Removed Values Added
First Time Totolink
Totolink a3600r
Totolink a3600r Firmware
References () https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/A3600R/NTPSyncWithHost.md - () https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/A3600R/NTPSyncWithHost.md - Exploit
References () https://vuldb.com/?ctiid.272592 - () https://vuldb.com/?ctiid.272592 - Third Party Advisory
References () https://vuldb.com/?id.272592 - () https://vuldb.com/?id.272592 - Third Party Advisory
References () https://vuldb.com/?submit.378038 - () https://vuldb.com/?submit.378038 - Third Party Advisory
CPE cpe:2.3:o:totolink:a3600r_firmware:4.1.2cu.5182_b20201102:*:*:*:*:*:*:*
cpe:2.3:h:totolink:a3600r:-:*:*:*:*:*:*:*
CVSS v2 : 6.5
v3 : 6.3
v2 : 6.5
v3 : 8.8

29 Jul 2024, 14:12

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad ha sido encontrada en TOTOLINK A3600R 4.1.2cu.5182_B20201102 y clasificada como crítica. La función NTPSyncWithHost del fichero /cgi-bin/cstecgi.cgi es afectada por la vulnerabilidad. La manipulación del argumento hostTime conduce a la inyección de comandos del sistema operativo. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al público y puede utilizarse. El identificador de esta vulnerabilidad es VDB-272592. NOTA: Se contactó al proveedor tempranamente sobre esta divulgación, pero no respondió de ninguna manera.

28 Jul 2024, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-28 23:15

Updated : 2024-11-21 09:51


NVD link : CVE-2024-7171

Mitre link : CVE-2024-7171

CVE.ORG link : CVE-2024-7171


JSON object : View

Products Affected

totolink

  • a3600r
  • a3600r_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')