PT-2024-38146 · Totolink · Totolink A3600R

Name of the Vulnerable Software and Affected Versions: TOTOLINK A3600R version 4.1.2cu.5182 B20201102 Description: A critical issue has been found, affecting the setUrlFilterRules function of the file /cgi-bin/cstecgi.cgi. The manipulation of the url argument leads to a buffer overflow. This issu...

CVE-2024-7171

A vulnerability classified as critical has been found in TOTOLINK A3600R 4.1.2cu.5182B20201102. Affected is the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument hostTime leads to os command injection. It is possible to launch the attack remotely. The...

CVE-2024-0944

A vulnerability was found in Totolink T8 4.1.5cu.83320220905. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is...

Axis Communications P3225 and M3005 Network Cameras Improper Privilege Management (CVE-2017-20049)

A vulnerability, was found in legacy Axis devices such as P3225 and M3005. This affects an unknown part of the component CGI Script. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely. This plugin only works with Tenable.ot. Please visit...

CVE-2024-0292

A vulnerability classified as critical has been found in Totolink LR1200GB 9.1.0u.6619B20230130. Affected is the function setOpModeCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument hostName leads to os command injection. It is possible to launch the attack remotely. The explo...

PT-2024-1058 · Totolink · Totolink Lr1200Gb

Name of the Vulnerable Software and Affected Versions: Totolink LR1200GB version 9.1.0u.6619 B20230130 Description: A critical vulnerability was found in the Totolink LR1200GB router's software. The issue affects the setUploadSetting function of the /cgi-bin/cstecgi.cgi file. The manipulation of...

TOTOLINK EX1800T 安全漏洞

The TOTOLINK EX1800T is a Wi-Fi range extender from China's Gion Electronics TOTOLINK. A command execution vulnerability exists in the TOTOLINK EX1800T version v9.1.0cu.2112B20220316. The vulnerability stems from the hosttime parameter of the NTPSyncWithHost interface of cstecgi .cgi failing to...

(Pwn2Own) Western Digital MyCloud PR4100 account_mgr Command Injection Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Western Digital MyCloud PR4100 NAS devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the accountmgr cgi script. The issue results from t...

PT-2023-5734 · D Link · D-Link Dir-X3260

Name of the Vulnerable Software and Affected Versions: D-Link DIR-X3260 affected versions not specified Description: This issue allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-X3260 routers. Although authentication is required to exploit this...

CVE-2023-31729

TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection via /cgi-bin/cstecgi.cgi...

JSA10469 - Pre-authentication CGI script prints arbitrary contents of XML and ZIP files

Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. Certain CGI scripts found on the appliance are accessible during pre-authentication. There is an issue that may allow access to arbitrary XML files or the contents of ZIP files on the...

JSA10470 - Pre-authentication CGI script fails to fully validate all parameters

Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. CGI scripts accessible during pre-authentication may fail to verify the validity of values supplied as parameters. This could lead to the arbitrary fetching of ".exe" files from the...

K15893: Apache HTTP server vulnerabilities CVE-2014-0117, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, and CVE-2014-3523

Security Advisory Description CVE-2014-0117 The modproxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service child-process crash via a crafted HTTP Connection header. CVE-2014-0118 The deflateinfilter function...

U.S. Dept Of Defense: an internel important paths disclosure [HtUS]

Summary: i found CGI script environment variable disclosure an important paths Steps To Reproduce: 1. visit this link : https://███ 2. look at poc pic you should restrict this quickly Impact this is so dangerous because attacker now know an internal paths and this juicy information as u can see i...

WAVLINK WN579 X3 Information Disclosure Vulnerability (CNVD-2022-61036)

The WAVLINK WN579 X3 is a wireless router from the Chinese company WAVLINK. An information disclosure vulnerability exists in WAVLINK WN579 X3 M79X3.V5030.180719 version, which originates from improper authorization management in /cgi-bin/ExportAllSettings.sh. An attacker can exploit this...

CVE-2017-20049

A vulnerability, was found in legacy Axis devices such as P3225 and M3005. This affects an unknown part of the component CGI Script. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely...

Design/Logic Flaw

A vulnerability, was found in legacy Axis devices such as P3225 and M3005. This affects an unknown part of the component CGI Script. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely...

CVE-2017-20049

Axis legacy network cameras (P3225, M3005) are affected by CVE-2017-20049 due to a flaw in an unspecified part of the CGI Script, causing improper privilege management. The vulnerability can be triggered remotely, enabling an attacker to exploit the issue without user interaction. No explicit roo...

CVE-2017-20049

A vulnerability, was found in legacy Axis devices such as P3225 and M3005. This affects an unknown part of the component CGI Script. The manipulation leads to improper privilege management. It is possible to initiate the attack remotely...

PT-2022-7922 · Axis · Axis Device

Name of the Vulnerable Software and Affected Versions: Axis devices affected versions not specified Description: A vulnerability was found in legacy Axis devices, affecting an unknown part of the component CGI Script. The manipulation leads to improper privilege management, and it is possible to...