CVE-2023-39617

TOTOLINK X5000R_V9.1.0cu.2089_B20211224 and X5000R_V9.1.0cu.2350_B20230313 were discovered to contain a remote code execution (RCE) vulnerability via the lang parameter in the setLanguageCfg function.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
VendorProductVersion
totolinkx5000r_firmware
9.1.0cu.2089_b20211224:cu.2089_b20211224
totolinkx5000r_firmware
9.1.0cu.2350_b20230313:cu.2350_b20230313
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://sedate-class-393.notion.site/TOTOlink-ee7eb0d4cd5d43e9983296200371eff1?pvs=4
https://sedate-class-393.notion.site/TOTOlink-ee7eb0d4cd5d43e9983296200371eff1?pvs=4