CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 2CVE-2024-10654 – TOTOLINK LR350 formLoginAuth.htm authorization
https://notcve.org/view.php?id=CVE-2024-10654
01 Nov 2024 — A vulnerability has been found in TOTOLINK LR350 up to 9.3.5u.6369 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/c0nyy/IoT_vuln • CWE-266: Incorrect Privilege Assignment CWE-285: Improper Authorization CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-42967
https://notcve.org/view.php?id=CVE-2024-42967
15 Aug 2024 — Incorrect access control in TOTOLINK LR350 V9.3.5u.6369_B20220309 allows attackers to obtain the apmib configuration file, which contains the username and the password, via a crafted request to /cgi-bin/ExportSettings.sh. • https://github.com/TTTJJJWWW/AHU-IoT-vulnerable/blob/main/TOTOLINK/LR350/ExportSettings.md • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2024-7214 – TOTOLINK LR350 cstecgi.cgi setWanCfg command injection
https://notcve.org/view.php?id=CVE-2024-7214
30 Jul 2024 — A vulnerability has been found in TOTOLINK LR350 9.3.5u.6369_B20220309 and classified as critical. Affected by this vulnerability is the function setWanCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument hostName leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/abcdefg-png/IoT-vulnerable/blob/main/TOTOLINK/LR350/setWanCfg.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 27%CPEs: 2EXPL: 1CVE-2023-37145
https://notcve.org/view.php?id=CVE-2023-37145
07 Jul 2023 — TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the hostname parameter in the setOpModeCfg function. • https://github.com/DaDong-G/Vulnerability_info/blob/main/TOTOLINK/lr350/1/Readme.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 27%CPEs: 2EXPL: 1CVE-2023-37146
https://notcve.org/view.php?id=CVE-2023-37146
07 Jul 2023 — TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function. • https://github.com/DaDong-G/Vulnerability_info/tree/main/TOTOLINK/lr350/2 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 27%CPEs: 2EXPL: 1CVE-2023-37148
https://notcve.org/view.php?id=CVE-2023-37148
07 Jul 2023 — TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the ussd parameter in the setUssd function. • https://github.com/DaDong-G/Vulnerability_info/blob/main/TOTOLINK/lr350/3/README.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 27%CPEs: 2EXPL: 1CVE-2023-37149
https://notcve.org/view.php?id=CVE-2023-37149
07 Jul 2023 — TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadSetting function. • https://github.com/DaDong-G/Vulnerability_info/blob/main/TOTOLINK/lr350/4/README.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 1CVE-2022-44249
https://notcve.org/view.php?id=CVE-2022-44249
23 Nov 2022 — TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the FileName parameter in the UploadFirmwareFile function. TOTOLINK NR1800X V9.1.0u.6279_B20210910 contiene una inyección de comando a través del parámetro FileName en la función UploadFirmwareFile. • https://brief-nymphea-813.notion.site/LR350-command-injection-UploadFirmwareFile-f006f70e9e6540529d262a8d34154d24 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 1CVE-2022-44250
https://notcve.org/view.php?id=CVE-2022-44250
23 Nov 2022 — TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the hostName parameter in the setOpModeCfg function. TOTOLINK NR1800X V9.1.0u.6279_B20210910 contiene una inyección de comando a través del parámetro hostName en la función setOpModeCfg. • https://brief-nymphea-813.notion.site/LR350-command-injection-setOpModeCfg-7133dfcdeb9c4dfb87d9b5f4490b9a07 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 1CVE-2022-44251
https://notcve.org/view.php?id=CVE-2022-44251
23 Nov 2022 — TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection via the ussd parameter in the setUssd function. TOTOLINK NR1800X V9.1.0u.6279_B20210910 contiene una inyección de comando a través del parámetro ussd en la función setUssd. • https://brief-nymphea-813.notion.site/LR350-command-injection-setUssd-f25d6489a0e44468bf455e7af1173fdb • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •