Sign-up

ID

VAR-202403-0576


CVE

CVE-2024-2353


TITLE

TOTOLINK X6000R operating system command injection vulnerability

Trust: 0.6

sources: CNVD: CNVD-2024-13542

DESCRIPTION

A vulnerability, which was classified as critical, has been found in Totolink X6000R 9.4.0cu.852_20230719. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component shttpd. The manipulation of the argument ip leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256313 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK X6000R is a wireless router made by China Zeon Electronics (TOTOLINK) Company. TOTOLINK X6000R version 9.4.0cu.852_20230719 has an operating system command injection vulnerability. This vulnerability originates from a security issue in the setDiagnosisCfg function in /cgi-bin/cstecgi.cgi in the component shttpd, which causes operating system command injection by changing the parameter ip. No detailed vulnerability details are currently available

Trust: 1.44

sources: NVD: CVE-2024-2353 // CNVD: CNVD-2024-13542

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-13542

AFFECTED PRODUCTS

vendor:zeonmodel:x6000r v9.4.0cu.852 b20230719scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2024-13542

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2024-2353
value: HIGH

Trust: 1.0

CNVD: CNVD-2024-13542
value: HIGH

Trust: 0.6

cna@vuldb.com:
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

CNVD: CNVD-2024-13542
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

cna@vuldb.com:
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2024-13542 // NVD: CVE-2024-2353

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

sources: NVD: CVE-2024-2353

EXTERNAL IDS

db:NVDid:CVE-2024-2353

Trust: 1.6

db:VULDBid:256313

Trust: 1.0

db:CNVDid:CNVD-2024-13542

Trust: 0.6

sources: CNVD: CNVD-2024-13542 // NVD: CVE-2024-2353

REFERENCES

url:https://github.com/oraclepi/repo/blob/main/totolink%20x6000r/1/x6000r%20ax3000%20wifi%206%20giga%20unauthed%20rce.md

Trust: 1.0

url:https://vuldb.com/?ctiid.256313

Trust: 1.0

url:https://vuldb.com/?id.256313

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2024-2353

Trust: 0.6

sources: CNVD: CNVD-2024-13542 // NVD: CVE-2024-2353

SOURCES

db:CNVDid:CNVD-2024-13542
db:NVDid:CVE-2024-2353

LAST UPDATE DATE

2024-03-22T22:42:21.925000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2024-13542date:2024-03-15T00:00:00
db:NVDid:CVE-2024-2353date:2024-03-21T02:52:33.263

SOURCES RELEASE DATE

db:CNVDid:CNVD-2024-13542date:2024-03-14T00:00:00
db:NVDid:CVE-2024-2353date:2024-03-10T08:15:05.920