Details of VAR-202405-0812

ID

VAR-202405-0812

CVE

CVE-2024-32349

TITLE

TOTOLINK X5000R mtu parameter code execution vulnerability

Trust: 0.6

sources: CNVD: CNVD-2024-40411

DESCRIPTION

TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the "mtu" parameters in the "cstecgi.cgi" binary. TOTOLINK X5000R is a router of China's TOTOLINK Electronics. The vulnerability is caused by the mtu parameter of cstecgi.cgi failing to properly filter the special elements of the constructed code segment. An attacker can exploit this vulnerability to cause arbitrary code execution

Trust: 1.44

sources: NVD: CVE-2024-32349 // CNVD: CNVD-2024-40411

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-40411

AFFECTED PRODUCTS

vendor:

totolink

model:

x5000r v9.1.0cu.2350 b20230313

scope:

version:

Trust: 0.6

sources: CNVD: CNVD-2024-40411

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-32349
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2024-40411
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2024-40411
severity:	MEDIUM
baseScore:	5.9
vectorString:	AV:L/AC:L/AU:M/C:C/I:C/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	2.5
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-32349
baseSeverity:	MEDIUM
baseScore:	6.0
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	0.8
impactScore:	5.2
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2024-40411 // NVD: CVE-2024-32349

PROBLEMTYPE DATA

problemtype:

CWE-77

Trust: 1.0

sources: NVD: CVE-2024-32349

EXTERNAL IDS

db:	NVD	id:	CVE-2024-32349	Trust: 1.6
db:	CNVD	id:	CNVD-2024-40411	Trust: 0.6

sources: CNVD: CNVD-2024-40411 // NVD: CVE-2024-32349

REFERENCES

url:	https://github.com/1s1and123/vulnerabilities/blob/main/device/totolink/x5000r/totolink_x5000r_rce.md	Trust: 1.0
url:	https://www.totolink.net/	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-32349	Trust: 0.6

sources: CNVD: CNVD-2024-40411 // NVD: CVE-2024-32349

SOURCES

db:	CNVD	id:	CNVD-2024-40411
db:	NVD	id:	CVE-2024-32349

LAST UPDATE DATE

2024-10-13T23:16:55.016000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-40411	date:	2024-10-11T00:00:00
db:	NVD	id:	CVE-2024-32349	date:	2024-07-03T01:56:20.913

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-40411	date:	2024-10-11T00:00:00
db:	NVD	id:	CVE-2024-32349	date:	2024-05-14T16:17:02.243