CVE-2022-38308 An A700RU V7.4c command injection vulnerability was found in the cstesystem function.
The flaw is primarily due to insufficient validation of user-supplied input. An attacker can exploit this vulnerability to run arbitrary code in the context of the affected website.
TOTOLink A700RU V7.4cu.2313_B20191024 was also discovered to embed XSS via the lang parameter in the function cstesystem. A remote attacker can exploit this vulnerability to execute arbitrary JavaScript code in a victim’s browser.
Finally, TOTOLink A700RU V7.4cu.2313_B20191024 is prone to a stored cross-site scripting (XSS) vulnerability due to insufficient input validation. A user can inject arbitrary JavaScript code into the targeted application via a crafted request.
CVE Solution:
TOTOLink A700RU V7.4cu.2313_B20191024 users are advised to upgrade to the latest version immediately. V7.4cu.2313_B20191024 should be installed on all affected devices.
Source: https://www.fortiguard.com/threat-intelligence/advanced-threats/totolink-v7-4cu-2313-b20191024-cstesystem-command-injection-vulnerabilities
What do you think about this issue? Leave your comments below.
Follow us on social media for more threat awareness!
Follow us on
Vendor Information
TOTOLink A700RU V7.4cu.2313_B20191024
Manufacturer: TOTOLink
Model: A700RU
Version: V7.4cu.2313_B20191024
Timeline
Published on: 09/14/2022 21:15:00 UTC
Last modified on: 09/17/2022 01:51:00 UTC