CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7336 – TOTOLINK EX200 cstecgi.cgi loginauth buffer overflow
https://notcve.org/view.php?id=CVE-2024-7336
01 Aug 2024 — A vulnerability classified as critical was found in TOTOLINK EX200 4.0.3c.7646_B20201211. Affected by this vulnerability is the function loginauth of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument http_host leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/EX200/loginauth.md • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7335 – TOTOLINK EX200 getSaveConfig buffer overflow
https://notcve.org/view.php?id=CVE-2024-7335
01 Aug 2024 — A vulnerability classified as critical has been found in TOTOLINK EX200 4.0.3c.7646_B20201211. Affected is the function getSaveConfig of the file /cgi-bin/cstecgi.cgi?action=save&setting. The manipulation of the argument http_host leads to buffer overflow. It is possible to launch the attack remotely. • https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/EX200/getSaveConfig.md • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31807
https://notcve.org/view.php?id=CVE-2024-31807
08 Apr 2024 — TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the hostTime parameter in the NTPSyncWithHost function. Se descubrió que TOTOLINK EX200 V4.0.3c.7646_B20201211 contiene una vulnerabilidad de ejecución remota de código (RCE) a través del parámetro hostTime en la función NTPSyncWithHost. • https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/EX200/CI_2_NTPSyncWithHost/CI.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31808
https://notcve.org/view.php?id=CVE-2024-31808
08 Apr 2024 — TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the webWlanIdx parameter in the setWebWlanIdx function. Se descubrió que TOTOLINK EX200 V4.0.3c.7646_B20201211 contiene una vulnerabilidad de ejecución remota de código (RCE) a través del parámetro webWlanIdx en la función setWebWlanIdx. • https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/EX200/CI_3_setWebWlanIdx/CI.md • CWE-233: Improper Handling of Parameters •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31809
https://notcve.org/view.php?id=CVE-2024-31809
08 Apr 2024 — TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the FileName parameter in the setUpgradeFW function. Se descubrió que TOTOLINK EX200 V4.0.3c.7646_B20201211 contiene una vulnerabilidad de ejecución remota de código (RCE) a través del parámetro FileName en la función setUpgradeFW. • https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/EX200/CI_4_setUpgradeFW/CI.md • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31811
https://notcve.org/view.php?id=CVE-2024-31811
08 Apr 2024 — TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the langType parameter in the setLanguageCfg function. Se descubrió que TOTOLINK EX200 V4.0.3c.7646_B20201211 contiene una vulnerabilidad de ejecución remota de código (RCE) a través del parámetro langType en la función setLanguageCfg. • https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/EX200/CI_1_setLanguageCfg/CI.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31814
https://notcve.org/view.php?id=CVE-2024-31814
08 Apr 2024 — TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to bypass login through the Form_Login function. TOTOLINK EX200 V4.0.3c.7646_B20201211 permite a los atacantes omitir el inicio de sesión a través de la función Form_Login. • https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/EX200/Login_Bypass/bypass.md • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31805
https://notcve.org/view.php?id=CVE-2024-31805
08 Apr 2024 — TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to start the Telnet service without authorization via the telnet_enabled parameter in the setTelnetCfg function. TOTOLINK EX200 V4.0.3c.7646_B20201211 permite a atacantes iniciar el servicio Telnet sin autorización a través del parámetro telnet_enabled en la función setTelnetCfg. • https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/EX200/CI_5_setTelnetCfg/CI.md • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31806
https://notcve.org/view.php?id=CVE-2024-31806
08 Apr 2024 — TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a Denial-of-Service (DoS) vulnerability in the RebootSystem function which can reboot the system without authorization. Se descubrió que TOTOLINK EX200 V4.0.3c.7646_B20201211 contiene una vulnerabilidad de denegación de servicio (DoS) en la función RebootSystem que puede reiniciar el sistema sin autorización. • https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/EX200/DoS_RebootSystem/DoS.md •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31812
https://notcve.org/view.php?id=CVE-2024-31812
08 Apr 2024 — In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getWiFiExtenderConfig. En TOTOLINK EX200 V4.0.3c.7646_B20201211, un atacante puede obtener información confidencial sin autorización a través de la función getWiFiExtenderConfig. • https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/EX200/Leak_getWiFiExtenderConfig/Leak.md • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) •