CVE-2024-42741

In TOTOLINK X5000r v9.1.0cu.2350b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in setL2tpServerCfg. Authenticated Attackers can send malicious packet to execute arbitrary commands...

CVE-2024-7335

A vulnerability classified as critical has been found in TOTOLINK EX200 4.0.3c.7646B20201211. Affected is the function getSaveConfig of the file /cgi-bin/cstecgi.cgi?action=save&setting. The manipulation of the argument httphost leads to buffer overflow. It is possible to launch the attack...

TOTOLINK EX200 安全漏洞

The TOTOLINK EX200 is a 2.4G wireless N range extender designed to extend the coverage of existing Wi-Fi networks. A buffer overflow vulnerability exists in the TOTOLINK EX200. The vulnerability originates from the file /cgi-bin/cstecgi.cgi?action=save&setting The function getSaveConfig as...

CVE-2024-7181

A vulnerability classified as critical was found in TOTOLINK A3600R 4.1.2cu.5182B20201102. This vulnerability affects the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument telnetenabled leads to command injection. The attack can be initiated remotely. The...

PT-2024-38146 · Totolink · Totolink A3600R

Name of the Vulnerable Software and Affected Versions: TOTOLINK A3600R version 4.1.2cu.5182 B20201102 Description: A critical issue has been found, affecting the setUrlFilterRules function of the file /cgi-bin/cstecgi.cgi. The manipulation of the url argument leads to a buffer overflow. This issu...

TOTOLINK A3600R 安全漏洞

TOTOLINK A3600R is a 6-antenna 1200M wireless router from China's Gion Electronics TOTOLINK. The TOTOLINK A3600R suffers from a buffer overflow vulnerability that originates from improper handling of the FileName parameter in the setUpgradeFW function of the /cgi-bin/cstecgi.cgi file. An attacker...

CVE-2024-7171

A vulnerability classified as critical has been found in TOTOLINK A3600R 4.1.2cu.5182B20201102. Affected is the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument hostTime leads to os command injection. It is possible to launch the attack remotely. The...

CVE-2024-0944

A vulnerability was found in Totolink T8 4.1.5cu.83320220905. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is...

Axis Communications P3225 and M3005 Network Cameras Improper Privilege Management (CVE-2017-20049)

A vulnerability, was found in legacy Axis devices such as P3225 and M3005. This affects an unknown part of the component CGI Script. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely. This plugin only works with Tenable.ot. Please visit...

The vulnerability of the UploadFirmwareFile function (/cgi-bin/cstecgi.cgi) in the Totolink N200RE router microprogramming software allows a hacker to execute arbitrary code.

The vulnerability of the UploadFirmwareFile function /cgi-bin/cstecgi.cgi in the Totolink N200RE router microprogramming system exists due to the failure to implement measures to neutralize specific elements. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

The vulnerability of the file /cgi-bin/cstecgi.cgi?action=login&flag=ie8, which is part of the microprogramming software for TOTOLINK N350RT routers, allows a hacker to execute arbitrary code.

The vulnerability of the file /cgi-bin/cstecgi.cgi?action=login&flag=ie8 in the microprogramming software for TOTOLINK N350RT routers is related to buffer overflow in the stack. Exploiting this vulnerability allows an attacker operating remotely to execute arbitrary code...

CVE-2024-0292

A vulnerability classified as critical has been found in Totolink LR1200GB 9.1.0u.6619B20230130. Affected is the function setOpModeCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument hostName leads to os command injection. It is possible to launch the attack remotely. The explo...

PT-2024-1058 · Totolink · Totolink Lr1200Gb

Name of the Vulnerable Software and Affected Versions: Totolink LR1200GB version 9.1.0u.6619 B20230130 Description: A critical vulnerability was found in the Totolink LR1200GB router's software. The issue affects the setUploadSetting function of the /cgi-bin/cstecgi.cgi file. The manipulation of...

TOTOLINK EX1800T 安全漏洞

The TOTOLINK EX1800T is a Wi-Fi range extender from China's Gion Electronics TOTOLINK. A command execution vulnerability exists in the TOTOLINK EX1800T version v9.1.0cu.2112B20220316. The vulnerability stems from the hosttime parameter of the NTPSyncWithHost interface of cstecgi .cgi failing to...

(Pwn2Own) Western Digital MyCloud PR4100 account_mgr Command Injection Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Western Digital MyCloud PR4100 NAS devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the accountmgr cgi script. The issue results from t...

PT-2023-5734 · D Link · D-Link Dir-X3260

Name of the Vulnerable Software and Affected Versions: D-Link DIR-X3260 affected versions not specified Description: This issue allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-X3260 routers. Although authentication is required to exploit this...

CVE-2023-31729

TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection via /cgi-bin/cstecgi.cgi...

JSA10469 - Pre-authentication CGI script prints arbitrary contents of XML and ZIP files

Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. Certain CGI scripts found on the appliance are accessible during pre-authentication. There is an issue that may allow access to arbitrary XML files or the contents of ZIP files on the...

JSA10470 - Pre-authentication CGI script fails to fully validate all parameters

Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. CGI scripts accessible during pre-authentication may fail to verify the validity of values supplied as parameters. This could lead to the arbitrary fetching of ".exe" files from the...

K15893: Apache HTTP server vulnerabilities CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, and CVE-2014-3523

Security Advisory Description CVE-2014-0117 The modproxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service child-process crash via a crafted HTTP Connection header. CVE-2014-0118 The deflateinfilter function...