Lucene search

K
cnvdChina National Vulnerability DatabaseCNVD-2024-15743
HistoryMar 22, 2024 - 12:00 a.m.

Tenda AC10 OS Command Injection Vulnerability (CNVD-2024-15743)

2024-03-2200:00:00
China National Vulnerability Database
www.cnvd.org.cn
3
tenda ac10u
wireless router
chinese company
command injection
vulnerability
mac parameter
formwritefacmac function
/goform/writefacmac file
arbitrary command execution

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

7.6 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

16.3%

The Tenda AC10 is a wireless router from the Chinese company Tenda. Tenda AC10U version 15.03.06.49 suffers from an operating system command injection vulnerability, which originates from the mac parameter of the formWriteFacMac function of the /goform/WriteFacMac file failing to correctly filter the constructor command special characters, commands, and so on. An attacker can exploit this vulnerability to cause arbitrary command execution.

CPENameOperatorVersion
tenda ac10 15.eq03.06.49

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

7.6 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

16.3%

Related for CNVD-2024-15743