CVE-2024-0569 - OpenCVE

A vulnerability classified as problematic has been found in Totolink T8 4.1.5cu.833_20220905. This affects the function getSysStatusCfg of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument ssid/key leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.5cu.862_B20230228 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-250785 was assigned to this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Totolink	T8 T8 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:totolink:t8_firmware:4.1.5cu.833_20220905:*:*:*:*:*:*:*

cpe:2.3:h:totolink:t8:-:*:*:*:*:*:*:*

References

Link	Resource
https://drive.google.com/file/d/1WSWrGEKUkvPk8hq1VRng-wbR7T6CknGY/view?usp=sharing	Exploit Third Party Advisory
https://vuldb.com/?ctiid.250785	Permissions Required Third Party Advisory VDB Entry
https://vuldb.com/?id.250785	Third Party Advisory VDB Entry
https://vuldb.com/?submit.263653	Third Party Advisory VDB Entry
https://www.chtsecurity.com/news/8aa31e69-1e7c-4186-8554-7d5d6baeaa84	Third Party Advisory
https://www.chtsecurity.com/news/8f270890-12cc-4623-99a3-a81e00758c29	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: VulDB

Published: 2024-01-16T12:31:04.083Z

Updated: 2024-05-29T17:59:39.963Z

Reserved: 2024-01-16T07:06:04.505Z

Link: CVE-2024-0569

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-01-16T13:15:08.113

Modified: 2024-06-18T13:21:16.393

Link: CVE-2024-0569

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0569", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2024-01-16T07:06:04.505Z", "datePublished": "2024-01-16T12:31:04.083Z", "dateUpdated": "2024-05-29T17:59:39.963Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-05-29T17:59:39.963Z"}, "title": "Totolink T8 Setting cstecgi.cgi getSysStatusCfg information disclosure", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Information Disclosure"}]}], "affected": [{"vendor": "Totolink", "product": "T8", "versions": [{"version": "4.1.5cu.833_20220905", "status": "affected"}], "modules": ["Setting Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in Totolink T8 4.1.5cu.833_20220905. This affects the function getSysStatusCfg of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument ssid/key leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.5cu.862_B20230228 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-250785 was assigned to this vulnerability."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in Totolink T8 4.1.5cu.833_20220905 entdeckt. Sie wurde als problematisch eingestuft. Es betrifft die Funktion getSysStatusCfg der Datei /cgi-bin/cstecgi.cgi der Komponente Setting Handler. Durch das Manipulieren des Arguments ssid/key mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 4.1.5cu.862_B20230228 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "timeline": [{"time": "2024-01-16T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2024-01-16T00:00:00.000Z", "lang": "en", "value": "CVE reserved"}, {"time": "2024-01-16T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2024-05-29T20:01:01.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Chun-Li Lin", "type": "finder"}, {"lang": "en", "value": "lin7lic (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "lin7lic (VulDB User)", "type": "analyst"}], "references": [{"url": "https://vuldb.com/?id.250785", "name": "VDB-250785 | Totolink T8 Setting cstecgi.cgi getSysStatusCfg information disclosure", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.250785", "name": "VDB-250785 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.263653", "name": "Submit #263653 | Totolink T8 V4.1.5cu.833_20220905 Broken Access Control", "tags": ["third-party-advisory"]}, {"url": "https://www.chtsecurity.com/news/8f270890-12cc-4623-99a3-a81e00758c29", "tags": ["related"]}, {"url": "https://drive.google.com/file/d/1WSWrGEKUkvPk8hq1VRng-wbR7T6CknGY/view?usp=sharing", "tags": ["exploit"]}, {"url": "https://www.chtsecurity.com/news/8aa31e69-1e7c-4186-8554-7d5d6baeaa84", "tags": ["related"]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:totolink:t8_firmware:4.1.5cu.833_20220905:*:*:*:*:*:*:*", "matchCriteriaId": "EEAB4A5E-435B-4286-AE0F-203CAD3E5409", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:totolink:t8:-:*:*:*:*:*:*:*", "matchCriteriaId": "16621725-1296-4792-BDF4-43E0ABF3B744", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in Totolink T8 4.1.5cu.833_20220905. This affects the function getSysStatusCfg of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument ssid/key leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.5cu.862_B20230228 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-250785 was assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en Totolink T8 4.1.5cu.833_20220905 y clasificada como problem\u00e1tica. Esto afecta a la funci\u00f3n getSysStatusCfg del archivo /cgi-bin/cstecgi.cgi del componente Configuration Handler. La manipulaci\u00f3n del argumento ssid/key conduce a la divulgaci\u00f3n de informaci\u00f3n. Es posible iniciar el ataque de forma remota. La explotaci\u00f3n ha sido divulgada al p\u00fablico y puede utilizarse. La actualizaci\u00f3n a la versi\u00f3n 4.1.5cu.862_B20230228 puede solucionar este problema. Se recomienda actualizar el componente afectado. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-250785."}], "id": "CVE-2024-0569", "lastModified": "2024-06-18T13:21:16.393", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2024-01-16T13:15:08.113", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://drive.google.com/file/d/1WSWrGEKUkvPk8hq1VRng-wbR7T6CknGY/view?usp=sharing"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?ctiid.250785"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.250785"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.263653"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://www.chtsecurity.com/news/8aa31e69-1e7c-4186-8554-7d5d6baeaa84"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://www.chtsecurity.com/news/8f270890-12cc-4623-99a3-a81e00758c29"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "cna@vuldb.com", "type": "Secondary"}]}