CVE-2024-0291Command Injection in Lr1200gb

CWE-77Command Injection4 documents4 sources
Severity
8.8HIGHNVD
CNA6.3
EPSS
1.5%
top 18.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Totolink Lr1200gbTotolink Lr1200gb Firmware
Timeline
PublishedJan 8
Latest updateJan 7

Description

A vulnerability was found in Totolink LR1200GB 9.1.0u.6619_B20230130. It has been rated as critical. This issue affects the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument FileName leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249857 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5totolink/lr1200gb9.1.0u.6619_B20230130
NVDtotolink/lr1200gb_firmware9.1.0u.6619_b20230130

🔴Vulnerability Details

2
CVEList
Totolink LR1200GB cstecgi.cgi UploadFirmwareFile command injection2024-01-08
GHSA
GHSA-63q7-pp7p-qqq3: A vulnerability was found in Totolink LR1200GB 92024-01-08

📋Vendor Advisories

1
Chrome
Stable Channel Update for Desktop: CVE-2025-02912025-01-07
CVE-2024-0291 — Command Injection in Totolink Lr1200gb | cvebase