CVE-2022-27004

Published: Mar 15, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6in4 function via the remote6in4 parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Affected (2)

Products: Totolink: X5000r Firmware, A7000r Firmware

2 products

X5000r Firmware

A7000r Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Totolink X5000r Firmware	Version 9.1.0u.6118_b20201102

Running on/with	Platform Versions
Totolink X5000r	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Totolink A7000r Firmware	Version 9.1.0u.6115_b20201022

Running on/with	Platform Versions
Totolink A7000r	All versions

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://github.com/wudipjq/my_vuln/blob/main/totolink/vuln_31/31.md

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/wudipjq/my_vuln/blob/main/totolink/vuln_31/31.md

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.