CVE-2022-37843 TOTOLINK A860R V4.1.2cu.5182_B20201027 in cstecgi.cgi has a command injection vulnerability.
Analysis of the source code of the vulnerable function revealed that the function checks the acquired parameter value before sending it to the system, which may result in command injection. An attacker can acquire necessary information such as the user ID, password hash, or any other sensitive data and use it to gain access to the system. To exploit this vulnerability, an attacker must be on the same network with the user who is accessing the system and must be able to manipulate the user’s input. An attacker must also be in close physical or wireless connection to the user, such as during a man-in-the-middle attack. On the other hand, the source code of the vulnerable function is publicly available on the Internet. Therefore, it is very likely that a hacker can exploit this vulnerability. TOTOLINK A860R V4.1.2cu.5182_B20201027 has a potential command injection vulnerability.
Potential Command Injection on TOTOLINK A860R V4.1.2cu.5182_B20201027
A command injection vulnerability exists on the TOTOLINK A860R V4.1.2cu.5182_B20201027 router, which can be exploited by an attacker to gain access to the system. An attacker must be on the same network with the user who is accessing the system and must be able to manipulate the user’s input in order to exploit this vulnerability. An attacker must also be in close physical or wireless connection to the user, such as during a man-in-the-middle attack. On the other hand, source code of vulnerable function is publicly available on Internet, so it is very likely that a hacker can exploit this vulnerability.
Quality Checklist for your blog post:
- use first person language (i.e., 'we,' 'us')
- cite sources that prove how you are using SEO correctly and avoid common mistakes
- write in third person
TOTOLINK A860R V4.1.2cu.5182_B20201027 Software Instability Using DNS Rebinding
TOTOLINK A860R V4.1.2cu.5182_B20201027 has a potential DNS Rebinding vulnerability that can allow an attacker to manipulate the input parameters of the vulnerable function and execute arbitrary commands on a targeted device.
This vulnerability is caused by the insecure implementation of the UpdateDns method which allows an attacker to provide values directly to the UpdateDns method in an HTTP request without first verifying that they are authorized to do so, thus allowing access to sensitive information such as passwords and URLs.
Timeline
Published on: 09/06/2022 17:15:00 UTC
Last modified on: 09/08/2022 21:19:00 UTC