CVE-2024-3008: Tenda FH1205 execCommand formexeCommand stack-based overflow
Description
A vulnerability, which was classified as critical, was found in Tenda FH1205 2.0.0.7(775). Affected is the function formexeCommand of the file /goform/execCommand. The manipulation of the argument cmdinput leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-258294 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Es wurde eine Schwachstelle in Tenda FH1205 2.0.0.7(775) gefunden. Sie wurde als kritisch eingestuft. Betroffen hiervon ist die Funktion formexeCommand der Datei /goform/execCommand. Durch die Manipulation des Arguments cmdinput mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
Classification
CVE ID: CVE-2024-3008
CVSS Base Severity: HIGH
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Problem Types
CWE-121 Stack-based Buffer OverflowAffected Products
Vendor: Tenda
Product: FH1205
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.81% (probability of being exploited)
EPSS Percentile: 73.0% (scored less or equal to compared to others)
EPSS Date: 2025-04-21 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: poc
SSVC Technical Impact: total
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2024-3008https://vuldb.com/?id.258294
https://vuldb.com/?ctiid.258294
https://vuldb.com/?submit.301487
https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/FH/FH1205/formexeCommand.md