CVE-2023-34356

An OS command injection vulnerability exists in the data.cgi xferdns functionality of peplink Surf SOHO HW1 v6.3.5 in QEMU. A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability...

Command injection

An OS command injection vulnerability exists in the data.cgi xferdns functionality of peplink Surf SOHO HW1 v6.3.5 in QEMU. A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability...

CVE-2023-34356

The TALOS-2023-1778 advisory confirms a real OS command injection in Peplink Surf SOHO HW1 v6.3.5 (QEMU). The vulnerability exists in the data.cgi endpoint handling DNS transfer (the /cgi-bin/MANGA/data.cgi dispatcher). An authenticated user can craft a POST with option=xfer_dns and step=view_dom...

Peplink Surf SOHO HW1 Operating System Command Injection Vulnerability

The Peplink Surf SOHO HW1 is a small router from Peplink. An OS command injection vulnerability exists in Peplink Surf SOHO HW1 v6.3.5, which stems from an OS command injection vulnerability in the data.cgi xferdns function. An attacker can exploit this vulnerability to execute commands via...