SecuriTricks - CVE-2024-10654

Description

A vulnerability has been found in TOTOLINK LR350 up to 9.3.5u.6369 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to authorization bypass. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 9.3.5u.6698_B20230810 is able to address this issue. It is recommended to upgrade the affected component.

Product(s) Impacted

Product	Versions
TOTOLINK LR350	['up to 9.3.5u.6369']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-266

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

https://github.com/c0nyy/IoT_vuln/blob/main/TOTOLINK%20LR350%20Vuln.md

https://vuldb.com/?ctiid.282667

https://vuldb.com/?id.282667

https://vuldb.com/?submit.434801

https://www.totolink.net/

https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/231/ids/36.html

CVSS Score

5.3 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: NONE
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

View Vector String

Timeline

Published: Nov. 1, 2024, 12:15 p.m.
Last Modified: Nov. 5, 2024, 7:15 a.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

cna@vuldb.com

CVE-2024-10654