CVE-2022-36614 Totolink A860R v4.1.2cu.5182_B20201027 had a hardcoded password for root at /etc/shadow.sample.
A hardcoded password, such as this one, is a very bad sign. It means that the device was probably developed by a third party. The
CVE-2022-38794 Zaver through 2020-12-15 allows directory traversal via the GET /.. substring.
This can be used to expose files on a server that should normally not be publicly accessible, such as configuration files. All it takes is
CVE-2022-37316 An API access control vulnerability in Archer Platform 6.8 P3 could allow unauthorized metadata to be presented to an authenticated user.
In addition, this release also includes the following non-security bugfixes and enhancements: Support for multiple DNS settings in Firefox Preferences (bug 1322602). This bug was
CVE-2022-37081 TOTOLINK A7000R V9.1.0u.6115 contains a command injection vulnerability via the command parameter at setting/setTracerouteCfg.
This issue can be exploited by an attacker by passing the following request to the targeted Apache server:
POST /cgi-bin/setTracerouteCfg HTTP/1.0 Host:
CVE-2022-37080 TOTOLINK A7000R V9.1.0u.6115_B20201022 had a stack overflow vulnerability when setting/setTracerouteCfg was used.
This issue was discovered during internal testing. As a precautionary measure, we are notifying our customers and partners about this issue. We recommend updating your
Episode
00:00:00
00:00:00