An attacker can send a specially crafted request to cstecgi.cgi script-injection point, resulting in the complete takeover of the application and the ability to obtain sensitive information.

A remote attacker may leverage the command injection vulnerability to execute arbitrary system commands, resulting in a full compromise of the affected system.

TOTOLINK N600R V4.3.0cu.7570_B20200620 is prone to a command injection vulnerability because it fails to filter user-supplied input.

Solution: Upgrade/Patch your server/router firmware to the latest version.

CVE-2018-18649 TOTOLINK N600R V4.3.0cu.7570_B20200620 is vulnerable to a SQL injection attack because it fails to validate user input before using it in SQL queries.

An attacker can inject malicious SQL statements in order to gain access to sensitive information, or even hijack SQL queries to issue commands to server.

CVE-2018-18650 TOTOLINK N600R V4.3.0cu.7570_B20200620 is vulnerable to a directory traversal attack because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to change the files on the system or inject malicious code into other applications via the directory path.

CVE-2018-18651 TOTOLINK N600R V

An attacker can exploit this vulnerability to force the browser of unsuspecting users to send a specially crafted request to a third party website.

Timeline

Published on: 03/22/2022 21:15:00 UTC
Last modified on: 03/29/2022 15:39:00 UTC

References