CVE-2024-7214Command Injection in Lr350

CWE-77Command Injection4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
3.5%
top 12.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Totolink Lr350Totolink Lr350 Firmware
Timeline
PublishedJul 30

Description

A vulnerability has been found in TOTOLINK LR350 9.3.5u.6369_B20220309 and classified as critical. Affected by this vulnerability is the function setWanCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument hostName leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272785 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5totolink/lr3509.3.5u.6369_B20220309
NVDtotolink/lr350_firmware9.3.5u.6369_b20220309

🔴Vulnerability Details

3
CVEList
TOTOLINK LR350 cstecgi.cgi setWanCfg command injection2024-07-30
GHSA
GHSA-hcmc-j263-7qw5: A vulnerability has been found in TOTOLINK LR350 92024-07-30
VulnCheck
totolink lr350_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')2024
CVE-2024-7214 — Command Injection in Totolink Lr350 | cvebase