CVE-2024-0297 | Totolink N200RE 9.3.5u.6139_B20201216 /cgi-bin/cstecgi.cgi UploadFirmwareFile FileName os command injection

Posted by Angelo Barbosa | Jan 7, 2024 | CVE

A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216 and classified as critical. This issue affects the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument FileName leads to os command injection.

The identification of this vulnerability is CVE-2024-0297. The attack may be initiated remotely. Furthermore, there is an exploit available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2024-0297 | Totolink N200RE 9.3.5u.6139_B20201216 /cgi-bin/cstecgi.cgi UploadFirmwareFile FileName os command injection

Related Posts

CVE-2024-47178 | expressjs basic-auth-connect up to 1.0.x timing discrepancy

CVE-2024-32000 | matrix-appservice-irc prior 2.0.0 Message insufficient permissions or privileges

CVE-2024-2740 | Planet IGS-4215-16T2S 1.305b210528 Web Interface information disclosure

CVE-2024-40601 | MediaWikiChat Extension up to 1.42.1 on MediaWiki API Module cross-site request forgery