CVE-2022-28491

CWE-78 — OS Command Injection CWE-77 — Command Injection4 documents4 sources

Severity

9.8CRITICAL

EPSS

5.7%

top 9.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Totolink Cp900 Firmware

Timeline

PublishedMar 23

Description

TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 contains a command injection vulnerability in the NTPSyncWithHost function via the host_name parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDtotolink/cp900_firmware6.3c.566_b20171026

🔴Vulnerability Details

GHSA

GHSA-5vvf-rpvx-7r4f: TOTOLink outdoor CPE CP900 V6↗2023-03-23

▶

CVEList

CVE-2022-28491: TOTOLink outdoor CPE CP900 V6↗2023-03-23

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Centralized Third Party Jars (jackson-dataformats-binary) — CVE-2020-28491↗2022-07-15

▶