CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28404
https://notcve.org/view.php?id=CVE-2024-28404
15 Mar 2024 — TOTOLINK X2000R before V1.0.0-B20231213.1013 contains a Stored Cross-site scripting (XSS) vulnerability in MAC Filtering under the Firewall Page. TOTOLINK X2000R anterior a V1.0.0-B20231213.1013 contiene una vulnerabilidad de Cross-site scripting (XSS) Almacenado en el filtrado MAC en la página de firewall. • https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/X2000R/XSS_3_MAC_Filtering/XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28338
https://notcve.org/view.php?id=CVE-2024-28338
12 Mar 2024 — A login bypass in TOTOLINK A8000RU V7.1cu.643_B20200521 allows attackers to login to Administrator accounts via providing a crafted session cookie. Una omisión de inicio de sesión en TOTOLINK A8000RU V7.1cu.643_B20200521 permite a los atacantes iniciar sesión en cuentas de administrador proporcionando una cookie de sesión manipulada. • https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A8000RU/TOTOlink%20A8000RU%20login%20bypass.md • CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2353 – Totolink X6000R shttpd cstecgi.cgi setDiagnosisCfg os command injection
https://notcve.org/view.php?id=CVE-2024-2353
10 Mar 2024 — A vulnerability, which was classified as critical, has been found in Totolink X6000R 9.4.0cu.852_20230719. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component shttpd. The manipulation of the argument ip leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/OraclePi/repo/blob/main/totolink%20X6000R/1/X6000R%20AX3000%20WiFi%206%20Giga%20unauthed%20rce.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1783 – Totolink LR1200GB Web Interface cstecgi.cgi loginAuth stack-based overflow
https://notcve.org/view.php?id=CVE-2024-1783
23 Feb 2024 — A vulnerability classified as critical has been found in Totolink LR1200GB 9.1.0u.6619_B20230130/9.3.5u.6698_B20230810. Affected is the function loginAuth of the file /cgi-bin/cstecgi.cgi of the component Web Interface. The manipulation of the argument http_host leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://gist.github.com/manishkumarr1017/30bca574e2f0a6d6336115ba71111984 • CWE-121: Stack-based Buffer Overflow •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 2CVE-2024-1781 – Totolink X6000R AX3000 shttpd cstecgi.cgi setWizardCfg command injection
https://notcve.org/view.php?id=CVE-2024-1781
23 Feb 2024 — A vulnerability was found in Totolink X6000R AX3000 9.4.0cu.852_20230719. It has been rated as critical. This issue affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component shttpd. The manipulation leads to command injection. The exploit has been disclosed to the public and may be used. • https://github.com/Icycu123/CVE-2024-1781 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1661 – Totolink X6000R shadow hard-coded credentials
https://notcve.org/view.php?id=CVE-2024-1661
20 Feb 2024 — A vulnerability classified as problematic was found in Totolink X6000R 9.4.0cu.852_B20230719. Affected by this vulnerability is an unknown functionality of the file /etc/shadow. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the local host. The complexity of an attack is rather high. • https://github.com/WoodManGitHub/MyCVEs/blob/main/2024-Totolink/X6000R-Hardcoded-Password.md • CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 9%CPEs: 2EXPL: 1CVE-2024-24324
https://notcve.org/view.php?id=CVE-2024-24324
30 Jan 2024 — TOTOLINK A8000RU v7.1cu.643_B20200521 was discovered to contain a hardcoded password for root stored in /etc/shadow. Se descubrió que TOTOLINK A8000RU v7.1cu.643_B20200521 contenía una contraseña codificada para root almacenada en /etc/shadow. • https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A8000RU/TOTOlink%20A8000RU%20hard%20code.md • CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 4%CPEs: 2EXPL: 1CVE-2024-24325
https://notcve.org/view.php?id=CVE-2024-24325
30 Jan 2024 — TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setParentalRules function. Se descubrió que TOTOLINK A3300R V17.0.0cu.557_B20221024 contiene una vulnerabilidad de inyección de comandos a través del parámetro enable en la función setParentalRules. • https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/11/TOTOlink%20A3300R%20setParentalRules.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 4%CPEs: 2EXPL: 1CVE-2024-24326
https://notcve.org/view.php?id=CVE-2024-24326
30 Jan 2024 — TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the arpEnable parameter in the setStaticDhcpRules function. Se descubrió que TOTOLINK A3300R V17.0.0cu.557_B20221024 contiene una vulnerabilidad de inyección de comandos a través del parámetro arpEnable en la función setStaticDhcpRules. • https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/8/TOTOlink%20A3300R%20setStaticDhcpRules.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 4%CPEs: 2EXPL: 1CVE-2024-24327
https://notcve.org/view.php?id=CVE-2024-24327
30 Jan 2024 — TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the pppoePass parameter in the setIpv6Cfg function. Se descubrió que TOTOLINK A3300R V17.0.0cu.557_B20221024 contiene una vulnerabilidad de inyección de comandos a través del parámetro pppoePass en la función setIpv6Cfg. • https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/7/TOTOlink%20A3300R%20setIpv6Cfg.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •