CVE-2024-7215 – TOTOLINK LR1200 cstecgi.cgi NTPSyncWithHost command injection
https://notcve.org/view.php?id=CVE-2024-7215
A vulnerability was found in TOTOLINK LR1200 9.3.1cu.2832 and classified as critical. Affected by this issue is the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument host_time leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/LR1200/NTPSyncWithHost.md https://vuldb.com/?ctiid.272786 https://vuldb.com/?id.272786 https://vuldb.com/?submit.378330 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2024-7170 – TOTOLINK A3000RU product.ini hard-coded password
https://notcve.org/view.php?id=CVE-2024-7170
A vulnerability was found in TOTOLINK A3000RU 5.9c.5185. It has been rated as problematic. This issue affects some unknown processing of the file /web_cste/cgi-bin/product.ini. The manipulation leads to use of hard-coded password. The exploit has been disclosed to the public and may be used. • https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/A3000RU/product.md https://vuldb.com/?ctiid.272591 https://vuldb.com/?id.272591 https://vuldb.com/?submit.377957 • CWE-259: Use of Hard-coded Password •
CVE-2024-41319
https://notcve.org/view.php?id=CVE-2024-41319
TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the cmd parameter in the webcmd function. Se descubrió que TOTOLINK A6000R V1.0.1-B20201211.2000 contiene una vulnerabilidad de inyección de comandos a través del parámetro cmd en la función webcmd. • https://gist.github.com/yanggao017/40efb889800ae2691c38086ebf80c037 https://github.com/yanggao017/vuln/blob/main/TOTOLINK/A6000R/CI_7_webcmd/README.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2024-1661 – Totolink X6000R shadow hard-coded credentials
https://notcve.org/view.php?id=CVE-2024-1661
A vulnerability classified as problematic was found in Totolink X6000R 9.4.0cu.852_B20230719. Affected by this vulnerability is an unknown functionality of the file /etc/shadow. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the local host. The complexity of an attack is rather high. • https://github.com/WoodManGitHub/MyCVEs/blob/main/2024-Totolink/X6000R-Hardcoded-Password.md https://vuldb.com/?ctiid.254179 https://vuldb.com/?id.254179 • CWE-798: Use of Hard-coded Credentials •
CVE-2024-24332
https://notcve.org/view.php?id=CVE-2024-24332
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the url parameter in the setUrlFilterRules function. Se descubrió que TOTOLINK A3300R V17.0.0cu.557_B20221024 contiene una vulnerabilidad de inyección de comandos a través del parámetro url en la función setUrlFilterRules. • https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/9/TOTOlink%20A3300R%20setUrlFilterRules.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •