VARIoT IoT vulnerabilities database

A stack buffer overflow vulnerability exists in the ToToLink LR1200GB (V9.1.0u.6619_B20230130) and NR1800X (V9.1.0u.6681_B20230703) Router firmware within the cstecgi.cgi binary (setDefResponse function). The binary reads the "IpAddress" parameter from a web request and copies it into a fixed-size stack buffer using strcpy() without any length validation. Maliciously crafted input can overflow the buffer, leading to potential arbitrary code execution or memory corruption, without requiring authentication.

A local stack-based buffer overflow vulnerability exists in the infostat.cgi and cstecgi.cgi binaries of ToToLink routers (A720R V4.1.5cu.614_B20230630, LR1200GB V9.1.0u.6619_B20230130, and NR1800X V9.1.0u.6681_B20230703). Both programs parse the contents of /proc/net/arp using sscanf() with "%s" format specifiers into fixed-size stack buffers without length validation. Specifically, one function writes user-controlled data into a single-byte buffer, and the other into adjacent small arrays without bounds checking. An attacker who controls the contents of /proc/net/arp can trigger memory corruption, leading to denial of service or potential arbitrary code execution

A stack buffer overflow vulnerability exists in the ToToLink LR1200GB (V9.1.0u.6619_B20230130) and NR1800X (V9.1.0u.6681_B20230703) Router firmware within the cstecgi.cgi binary (sub_42F32C function). The web interface reads the "lang" parameter and constructs Help URL strings using sprintf() into fixed-size stack buffers without proper length validation. Maliciously crafted input can overflow these buffers, potentially leading to arbitrary code execution or memory corruption, without requiring authentication.

Tenda AC15 v15.03.05.18_multi) issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session identifier. An attacker with network access or the ability to run JS in a victim browser can steal the cookie and replay it to access protected resources. The Tenda AC15 is a wireless router product from Tenda. A security vulnerability exists in Tenda AC15 version 15.03.05.18multi

Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the urls parameter of the get_parentControl_list_Info function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. Shenzhen Tenda Technology Co.,Ltd. of AX3 A stack-based buffer overflow vulnerability exists in the firmware.Service operation interruption (DoS) It may be in a state. The Tenda AX3 is a dual-band gigabit wireless router for home use, launched by Tenda Technology. It supports the Wi-Fi 6 (802.11ax) standard and emphasizes high-performance network coverage and stable connections. This vulnerability stems from the fact that the `urls` parameter in the `get_parentControl_list_Info` function fails to properly validate the length of the input data

A stack-based buffer overflow vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the guestSsid parameter of the /goform/WifiGuestSet interface. Remote attackers can exploit this vulnerability by sending oversized data to the guestSsid parameter, leading to denial of service (device crash) or potential remote code execution. The Tenda AC18 is a dual-band wireless router launched in July 2016 by Shenzhen Jixiang Tenda Technology Co., Ltd., primarily targeting villa and large-apartment users. This vulnerability stems from the fact that the guestSsid parameter of the /goform/WifiGuestSet interface fails to properly validate the length of the input data. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial-of-service attack

A stored cross-site scripting (XSS) vulnerability was discovered in Tenda AC18 v15.03.05.05_multi. The vulnerability exists in the ssid parameter of the wireless settings. Remote attackers can inject malicious payloads that execute when any user visits the router's homepage. Shenzhen Tenda Technology Co.,Ltd. The Tenda AC18 is a dual-band wireless router launched in July 2016 by Shenzhen Jixiang Tenda Technology Co., Ltd., primarily targeting villa and large-apartment users

Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the wanMTU parameter in the sub_4F55C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The Tenda AX-1803 is a dual-band gigabit WiFi 6 wireless router from Tenda, supporting both 2.4GHz and 5GHz bands with a maximum transmission rate of 1774Mbps, suitable for home or small office environments. This vulnerability stems from the fact that the wanMTU parameter in the sub_4F55C function fails to properly validate the length of the input data. An attacker could exploit this vulnerability to cause a denial-of-service attack

Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the time parameter in the SetSysTimeCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. Shenzhen Tenda Technology Co.,Ltd. of ax1803 An out-of-bounds write vulnerability exists in firmware.Service operation interruption (DoS) It may be in a state. The Tenda AX-1803 is a dual-band gigabit WiFi 6 wireless router from Tenda, supporting both 2.4GHz and 5GHz bands with a maximum transmission rate of 1774Mbps, suitable for home or small office environments. This vulnerability stems from the fact that the `time` parameter in the `SetSysTimeCfg` function fails to properly validate the length of the input data

Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow via the shareSpeed parameter in the fromSetWifiGusetBasic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. Shenzhen Tenda Technology Co.,Ltd. of AX3 A stack-based buffer overflow vulnerability exists in the firmware.Service operation interruption (DoS) It may be in a state. The Tenda AX3 is a dual-band gigabit wireless router for home use, launched by Tenda Technology. It supports the Wi-Fi 6 (802.11ax) standard and emphasizes high-performance network coverage and stable connections. This vulnerability stems from the fact that the `shareSpeed` parameter in the `fromSetWifiGusetBasic` function fails to properly validate the length of the input data

Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the deviceId parameter of the saveParentControlInfo function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. The Tenda AX3 is a dual-band gigabit wireless router for home use, launched by Tenda Technology. It supports the Wi-Fi 6 (802.11ax) standard and emphasizes high-performance network coverage and stable connections. This vulnerability stems from the fact that the `deviceId` parameter in the `saveParentControlInfo` function fails to properly validate the length of the input data

Tenda AX3 V16.03.12.10_CN was discovered to contain a stack overflow in the wpapsk_crypto parameter of the wlSetExternParameter function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. Shenzhen Tenda Technology Co.,Ltd. of AX3 A stack-based buffer overflow vulnerability exists in the firmware.Service operation interruption (DoS) It may be in a state. The Tenda AX3 is a dual-band gigabit wireless router for home use, launched by Tenda Technology. It supports the Wi-Fi 6 (802.11ax) standard and emphasizes high-performance network coverage and stable connections. This vulnerability stems from the fact that the `wpapsk_crypto` parameter of the `wlSetExternParameter` function fails to properly validate the length of the input data

In Modem, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01672601; Issue ID: MSV-4623.

In Modem, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01672598; Issue ID: MSV-4622.

In ims service, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01671924; Issue ID: MSV-4620.

A vulnerability was determined in Tenda AC10 16.03.10.13. Affected by this vulnerability is the function formSysRunCmd of the file /goform/SysRunCmd. This manipulation of the argument getui causes buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Attackers can exploit this vulnerability to trigger a buffer overflow by constructing malicious parameters, thereby achieving remote code execution

A vulnerability has been found in Tenda AC8 16.03.34.06. This impacts an unknown function of the file /goform/DatabaseIniSet. The manipulation of the argument Time leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The Tenda AC8 is a dual-band gigabit wireless router from Tenda, designed for home and small office environments. The Tenda AC8 contains a buffer overflow vulnerability stemming from a failure to properly validate the input length when manipulating the Time parameter in the /goform/DatabaseIniSet file. An attacker could exploit this vulnerability to execute arbitrary code or cause a system crash

A vulnerability was identified in Tenda AC21 16.03.08.16. This vulnerability affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument startIp leads to buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. An attacker could exploit this vulnerability to remotely manipulate the parameter, triggering a buffer overflow that could then execute arbitrary code or cause system crashes

A security vulnerability has been detected in Tenda AC23 16.03.07.52. Affected is the function saveParentControlInfo of the file /goform/saveParentControlInfo. Such manipulation of the argument Time leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The Tenda AC23 is a dual-band wireless router for home use, designed for large homes with excellent coverage and high-speed transmission. It supports 802.11ac Wave2 technology and boasts a maximum concurrent dual-band speed of 2033Mbps. This vulnerability stems from the fact that the parameter Time in the file /goform/saveParentControlInfo fails to properly validate the length of the input data. Attackers could exploit this vulnerability to execute arbitrary code or cause a denial-of-service attack

A weakness has been identified in Tenda AC23 16.03.07.52. This impacts the function formSetVirtualSer of the file /goform/SetVirtualServerCfg. This manipulation of the argument list causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The Tenda AC23 is a dual-band wireless router for home use, designed for large homes with excellent coverage and high-speed transmission. It supports 802.11ac Wave2 technology and boasts a maximum concurrent dual-band speed of 2033Mbps. This vulnerability stems from the fact that the `formSetVirtualSer` function parameter `list` in the file `/goform/SetVirtualServerCfg` fails to properly validate the length of the input data. Attackers could exploit this vulnerability to execute arbitrary code or cause a denial-of-service attack