Lucene search

MitreVULNRICHMENT:CVE-2024-42739

HistoryAug 13, 2024 - 12:00 a.m.

CVE-2024-42739

2024-08-1300:00:00

mitre

github.com

totolink x5000r

os command injection

setaccessdevicecfg

authenticated attackers

arbitrary commands

AI Score

Confidence

High

EPSS

0.001

Percentile

48.3%

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in setAccessDeviceCfg. Authenticated Attackers can send malicious packet to execute arbitrary commands.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:h:totolink:x5000r:-:*:*:*:*:*:*:*"
    ],
    "vendor": "totolink",
    "product": "x5000r",
    "versions": [
      {
        "status": "affected",
        "version": "v9.1.0cu.2350_b20230313"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

github.com/HouseFuzz/reports/blob/main/totolink/x5000r/setAccessDeviceCfg/setAccessDeviceCfg.md