ID

VAR-202404-0370


CVE

CVE-2024-4064


TITLE

Shenzhen Jixiang Tengda Technology Co., Ltd. AC8 R7WebsSecurityHandler function has a stack buffer overflow vulnerability

Trust: 0.6

sources: CNVD: CNVD-2024-20777

DESCRIPTION

A vulnerability was found in Tenda AC8 16.03.34.09. It has been declared as critical. This vulnerability affects the function R7WebsSecurityHandler of the file /goform/execCommand. The manipulation of the argument password leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-261790 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Shenzhen Jixiang Tengda Technology Co., Ltd. AC8 is a wireless router device that provides network connection and wireless management functions. Shenzhen Jixiang Tengda Technology Co., Ltd. The vulnerability is caused by improper processing of password parameters. Attackers can exploit this vulnerability to remotely control the device

Trust: 1.44

sources: NVD: CVE-2024-4064 // CNVD: CNVD-2024-20777

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-20777

AFFECTED PRODUCTS

vendor:jixiang tengdamodel:ac8scope:eqversion:16.03.34.09

Trust: 0.6

sources: CNVD: CNVD-2024-20777

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2024-4064
value: HIGH

Trust: 1.0

CNVD: CNVD-2024-20777
value: HIGH

Trust: 0.6

cna@vuldb.com: CVE-2024-4064
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2024-20777
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

cna@vuldb.com: CVE-2024-4064
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2024-20777 // NVD: CVE-2024-4064

PROBLEMTYPE DATA

problemtype:CWE-121

Trust: 1.0

sources: NVD: CVE-2024-4064

EXTERNAL IDS

db:NVDid:CVE-2024-4064

Trust: 1.6

db:VULDBid:261790

Trust: 1.0

db:CNVDid:CNVD-2024-20777

Trust: 0.6

sources: CNVD: CNVD-2024-20777 // NVD: CVE-2024-4064

REFERENCES

url:https://github.com/abcdefg-png/iot-vulnerable/blob/main/tenda/ac8/r7webssecurityhandler.md

Trust: 1.0

url:https://vuldb.com/?ctiid.261790

Trust: 1.0

url:https://vuldb.com/?id.261790

Trust: 1.0

url:https://vuldb.com/?submit.316493

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2024-4064

Trust: 0.6

sources: CNVD: CNVD-2024-20777 // NVD: CVE-2024-4064

SOURCES

db:CNVDid:CNVD-2024-20777
db:NVDid:CVE-2024-4064

LAST UPDATE DATE

2024-08-14T14:09:27.446000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2024-20777date:2024-04-28T00:00:00
db:NVDid:CVE-2024-4064date:2024-05-17T02:40:14.223

SOURCES RELEASE DATE

db:CNVDid:CNVD-2024-20777date:2024-04-26T00:00:00
db:NVDid:CVE-2024-4064date:2024-04-23T20:15:07.997