Tenda HG6 formPing command execution |

May 6, 2022

NAME

Tenda HG6 formPing command execution

  • Platforms Affected:
    Tenda HG6 3.3.0
  • Risk Level:
    8.8
  • Exploitability:
    Proof of Concept
  • Consequences:
    Gain Access

DESCRIPTION

Tenda HG6 could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by an OS command injection vulnerability. By using the pingAddr and traceAddr HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces, an attacker could exploit this vulnerability to inject and execute arbitrary shell commands on the system.

CVSS 3.0 Information

  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Access Vector: Network
  • Access Complexity: Low
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
  • Remediation Level: Unavailable

MITIGATION

No remedy available as of May 4, 2022.

  • Reference Link:
    https://packetstormsecurity.com/files/166932
  • Reference Link:
    https://www.tendacn.com/

If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.

Digital Patreon Wordmark FieryCoralv2
Tags: , ,

You may have missed

CISA_Logo

CISA: Foreign Threat Actor Conducting Large-Scale Spearphishing Campaign with RDP Attachments

November 30, 2024
CISA_Logo

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog

November 30, 2024
CISA_Logo

CISA: CISA Releases Four Industrial Control Systems Advisories

November 30, 2024
CISA_Logo

CISA: CISA Adds Four Known Exploited Vulnerabilities to Catalog

November 30, 2024
CISA_Logo

CISA: Fortinet Updates Guidance and Indicators of Compromise following FortiManager Vulnerability Exploitation

November 30, 2024