Details of VAR-202312-0062

ID

VAR-202312-0062

CVE

CVE-2023-43453

TITLE

TOTOLINK of x6000r Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2023-018490

DESCRIPTION

An issue in TOTOLINK X6000R V9.4.0cu.652_B20230116 and V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the IP parameter of the setDiagnosisCfg component. TOTOLINK of x6000r Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK X6000R is a wireless router made by China Zeon Electronics (TOTOLINK) Company. TOTOLINK X6000R has a command execution vulnerability. The vulnerability stems from the failure of the IP parameter of the setDiagnosisCfg component to correctly filter special characters, commands, etc. in the constructed command. An attacker could exploit this vulnerability to cause arbitrary command execution

Trust: 2.25

sources: NVD: CVE-2023-43453 // JVNDB: JVNDB-2023-018490 // CNVD: CNVD-2023-99450 // VULMON: CVE-2023-43453

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-99450

AFFECTED PRODUCTS

vendor:	totolink	model:	x6000r	scope:	eq	version:	9.4.0cu.652_b20230116	Trust: 1.0
vendor:	totolink	model:	x6000r	scope:	eq	version:	9.4.0cu.852_b20230719	Trust: 1.0
vendor:	totolink	model:	x6000r	scope:	eq	version:	x6000r firmware 9.4.0cu.852 b20230719	Trust: 0.8
vendor:	totolink	model:	x6000r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	x6000r	scope:	eq	version:	x6000r firmware 9.4.0cu.652 b20230116	Trust: 0.8
vendor:	totolink	model:	x6000r	scope:	-	version:	-	Trust: 0.8
vendor:	zeon	model:	x6000r v9.4.0cu.852 b20230719	scope:	-	version:	-	Trust: 0.6
vendor:	zeon	model:	x6000r v9.4.0cu.652 b20230116	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2023-99450 // JVNDB: JVNDB-2023-018490 // NVD: CVE-2023-43453

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-43453
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2023-43453
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2023-99450
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2023-99450
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-43453
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2023-43453
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2023-99450 // JVNDB: JVNDB-2023-018490 // NVD: CVE-2023-43453

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-018490 // NVD: CVE-2023-43453

PATCH

title:

Patch for TOTOLINK X6000R IP parameter command execution vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/500436

Trust: 0.6

sources: CNVD: CNVD-2023-99450

EXTERNAL IDS

db:	NVD	id:	CVE-2023-43453	Trust: 3.3
db:	JVNDB	id:	JVNDB-2023-018490	Trust: 0.8
db:	CNVD	id:	CNVD-2023-99450	Trust: 0.6
db:	VULMON	id:	CVE-2023-43453	Trust: 0.1

sources: CNVD: CNVD-2023-99450 // VULMON: CVE-2023-43453 // JVNDB: JVNDB-2023-018490 // NVD: CVE-2023-43453

REFERENCES

url:	https://github.com/tharsis1024/vuln/blob/main/totolink/x6000r/2.md	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2023-43453	Trust: 0.8
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2023-99450 // VULMON: CVE-2023-43453 // JVNDB: JVNDB-2023-018490 // NVD: CVE-2023-43453

SOURCES

db:	CNVD	id:	CNVD-2023-99450
db:	VULMON	id:	CVE-2023-43453
db:	JVNDB	id:	JVNDB-2023-018490
db:	NVD	id:	CVE-2023-43453

LAST UPDATE DATE

2024-08-14T15:00:00.035000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-99450	date:	2023-12-21T00:00:00
db:	VULMON	id:	CVE-2023-43453	date:	2023-12-01T00:00:00
db:	JVNDB	id:	JVNDB-2023-018490	date:	2024-01-11T06:11:00
db:	NVD	id:	CVE-2023-43453	date:	2023-12-06T18:37:21.057

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-99450	date:	2023-12-13T00:00:00
db:	VULMON	id:	CVE-2023-43453	date:	2023-12-01T00:00:00
db:	JVNDB	id:	JVNDB-2023-018490	date:	2024-01-11T00:00:00
db:	NVD	id:	CVE-2023-43453	date:	2023-12-01T02:15:07.267