Sign-up

ID

VAR-202401-0531


CVE

CVE-2024-0298


TITLE

TOTOLINK  of  N200RE  in the firmware  OS  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-001216

DESCRIPTION

A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216. It has been classified as critical. Affected is the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ip leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249864. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK of N200RE The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2024-0298 // JVNDB: JVNDB-2024-001216 // VULMON: CVE-2024-0298

AFFECTED PRODUCTS

vendor:totolinkmodel:n200rescope:eqversion:9.3.5u.6139_b20201216

Trust: 1.0

vendor:totolinkmodel:n200rescope: - version: -

Trust: 0.8

vendor:totolinkmodel:n200rescope:eqversion: -

Trust: 0.8

vendor:totolinkmodel:n200rescope:eqversion:n200re firmware 9.3.5u.6139 b20201216

Trust: 0.8

sources: JVNDB: JVNDB-2024-001216 // NVD: CVE-2024-0298

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2024-0298
value: CRITICAL

Trust: 1.8

cna@vuldb.com: CVE-2024-0298
value: HIGH

Trust: 1.0

cna@vuldb.com:
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

cna@vuldb.com:
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 3.4
version: 3.1

Trust: 1.0

NVD:
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2024-0298
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2024-001216 // NVD: CVE-2024-0298 // NVD: CVE-2024-0298

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.0

problemtype:OS Command injection (CWE-78) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2024-001216 // NVD: CVE-2024-0298

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2024-0298

EXTERNAL IDS
db:NVDid:CVE-2024-0298
Trust: 2.7
db:VULDBid:249864
Trust: 1.1
db:JVNDBid:JVNDB-2024-001216
Trust: 0.8
db:VULMONid:CVE-2024-0298
Trust: 0.1
sources:
            
            
            VULMON: CVE-2024-0298 // 
            
            
            
            JVNDB: JVNDB-2024-001216 // 
            
            
            
            NVD: CVE-2024-0298

REFERENCES
url:https://github.com/jylsec/vuldb/blob/main/totolink/n200re/setdiagnosiscfg/readme.md
Trust: 1.9
url:https://vuldb.com/?id.249864
Trust: 1.1
url:https://vuldb.com/?ctiid.249864
Trust: 1.1
url:https://nvd.nist.gov/vuln/detail/cve-2024-0298
Trust: 0.8
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULMON: CVE-2024-0298 // 
            
            
            
            JVNDB: JVNDB-2024-001216 // 
            
            
            
            NVD: CVE-2024-0298

SOURCES
db:VULMONid:CVE-2024-0298
db:JVNDBid:JVNDB-2024-001216
db:NVDid:CVE-2024-0298

LAST UPDATE DATE
2024-05-17T23:01:33.442000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2024-0298date:2024-01-08T00:00:00
db:JVNDBid:JVNDB-2024-001216date:2024-02-01T05:39:00
db:NVDid:CVE-2024-0298date:2024-05-17T02:34:30.017

SOURCES RELEASE DATE
db:VULMONid:CVE-2024-0298date:2024-01-08T00:00:00
db:JVNDBid:JVNDB-2024-001216date:2024-02-01T00:00:00
db:NVDid:CVE-2024-0298date:2024-01-08T05:15:09.770