9
CVE-2019-19824
- EPSS 93.67%
- Veröffentlicht 27.01.2020 18:15:12
- Zuletzt bearbeitet 21.11.2024 04:35:28
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device's internals. This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0, and N302RE 2.0.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Totolink ≫ A3002ru Firmware Version <= 2.0.0
Totolink ≫ A702r Firmware Version <= 2.1.3
Totolink ≫ N301rt Firmware Version <= 2.1.6
Totolink ≫ N302r Firmware Version <= 3.4.0
Totolink ≫ N300rt Firmware Version <= 3.4.0
Totolink ≫ N200re Firmware Version <= 4.0.0
Totolink ≫ N150rt Firmware Version <= 3.4.0
Totolink ≫ N100re Firmware Version <= 3.4.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 93.67% | 0.998 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 9 | 8 | 10 |
AV:N/AC:L/Au:S/C:C/I:C/A:C
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.