Lucene search

[email protected]CVE-2024-34338

HistoryMay 14, 2024 - 3:38 p.m.

CVE-2024-34338

2024-05-1415:38:39

CWE-77

[email protected]

web.nvd.nist.gov

tenda o3v2

command injection

remote attackers

operating system commands

traceroute

cve-2024-34338

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0 Low

EPSS

Percentile

0.0%

JSON

Tenda O3V2 with firmware versions V1.0.0.10 and V1.0.0.12 was discovered to contain a Blind Command Injection via dest parameter in /goform/getTraceroute. This vulnerability allows attackers to execute arbitrary commands with root privileges. Authentication is required to exploit this vulnerability.

References

exzettabyte.me/blind-command-injection-in-tenda-o3v2

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0 Low

EPSS

Percentile

0.0%

JSON

Related for CVE-2024-34338

cvelist1 vulnrichment1 nvd1