Totolink N200RE cstecgi.cgi NTPSyncWithHost os command injection

A vulnerability has been found in Totolink N200RE 9.3.5u.6139_B20201216 and classified as critical. This vulnerability affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument host_time leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-249862 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

TOTOLINK N200RE 操作系统命令注入漏洞

TOTOLINK N200RE是中国吉翁电子（TOTOLINK）公司的一个路由器。 TOTOLINK N200RE 9.3.5u.6139_B20201216 版本存在操作系统命令注入漏洞，该漏洞源于对 /cgi-bin/cstecgi.cgi 页面的 NTPSyncWithHost 函数的 host_time 参数的操作会导致操作系统命令注入。

N/A

N/A