CVEブラウザに戻る

CVE-2021-27708

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.0120%

EPSS Percentile16.97th

Published2021年4月14日

Last Modified2024年11月21日

Vulnerability Description

Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "command" parameter is directly passed to the attacker, allowing them to control the "command" field to attack the OS.

Affected Platforms (CPE)

💻

Totolink

X5000r Firmware

= 9.1.0u.6118_b20201102

💻

Totolink

A720r Firmware

= 4.1.5cu.470_b20200911

References & Advisories

🔗 https://hackmd.io/7FtB06f-SJ-SCfkMYcXYxA

🔗 https://hackmd.io/mDgIBvoxSPCZrZiZjfQGhw

🔗 https://hackmd.io/7FtB06f-SJ-SCfkMYcXYxA

🔗 https://hackmd.io/mDgIBvoxSPCZrZiZjfQGhw

関連する脆弱性情報

CVE-2021-277109.8

Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu...

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Mes...

Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust...

Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc all...