cnvd - cnvd-2024-23302

cnvd-2024-23302

Vulnerability from cnvd

Title

Tenda A301存在未明漏洞（CNVD-2024-23302）

Description

Tenda A301是中国腾达（Tenda）公司的一款无线信号扩展器。 Tenda A30115.13.08.12_multi_TDE01版本存在安全漏洞，该漏洞源于文件/goform/setBlackRule的参数deviceList会导致基于堆栈的缓冲区溢出。目前没有详细的漏洞细节提供，

Severity

高

Formal description

厂商尚未发布漏洞修复程序，请及时关注更新： https://www.tendacn.com/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2024-4291

Impacted products

Name
Tenda A301 15.13.08.12_multi_TDE01

Show details on source website

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-4291"
    }
  },
  "description": "Tenda A301\u662f\u4e2d\u56fd\u817e\u8fbe\uff08Tenda\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u65e0\u7ebf\u4fe1\u53f7\u6269\u5c55\u5668\u3002\n\nTenda A30115.13.08.12_multi_TDE01\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6587\u4ef6/goform/setBlackRule\u7684\u53c2\u6570deviceList\u4f1a\u5bfc\u81f4\u57fa\u4e8e\u5806\u6808\u7684\u7f13\u51b2\u533a\u6ea2\u51fa\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\uff0c",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.tendacn.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-23302",
  "openTime": "2024-05-22",
  "products": {
    "product": "Tenda A301 15.13.08.12_multi_TDE01"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-4291",
  "serverity": "\u9ad8",
  "submitTime": "2024-04-28",
  "title": "Tenda A301\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2024-23302\uff09"
}

CVE-2024-4291 (GCVE-0-2024-4291)

Vulnerability from cvelistv5

Published

2024-04-27 20:00

Modified

2025-08-27 21:26

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-121 - Stack-based Buffer Overflow

Summary

A vulnerability was found in Tenda A301 15.13.08.12_multi_TDE01. It has been rated as critical. This issue affects the function formAddMacfilterRule of the file /goform/setBlackRule. The manipulation of the argument deviceList leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-262223. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

References

URL

Tags

	https://vuldb.com/?id.262223	vdb-entry, technical-description
	https://vuldb.com/?ctiid.262223	signature, permissions-required
	https://vuldb.com/?submit.320672	third-party-advisory
	https://github.com/L1ziang/Vulnerability/blob/main/formAddMacfilterRule.md	exploit

Impacted products

	Vendor	Product	Version
	Tenda	A301	Version: 15.13.08.12_multi_TDE01

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:h:tenda:ac15:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ac15",
            "vendor": "tenda",
            "versions": [
              {
                "status": "affected",
                "version": "15.13.08.12_TDE01"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-4291",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-29T14:52:10.389752Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-27T21:26:06.856Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T20:33:53.224Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "VDB-262223 | Tenda A301 setBlackRule formAddMacfilterRule stack-based overflow",
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.262223"
          },
          {
            "name": "VDB-262223 | CTI Indicators (IOB, IOC, IOA)",
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.262223"
          },
          {
            "name": "Submit #320672 | Tenda A301 v2.0 US_A301V2.0RTL_V15.13.08.12_multi_TDE01 Buffer Overflow",
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?submit.320672"
          },
          {
            "tags": [
              "exploit",
              "x_transferred"
            ],
            "url": "https://github.com/L1ziang/Vulnerability/blob/main/formAddMacfilterRule.md"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "A301",
          "vendor": "Tenda",
          "versions": [
            {
              "status": "affected",
              "version": "15.13.08.12_multi_TDE01"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "L1ziang (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Tenda A301 15.13.08.12_multi_TDE01. It has been rated as critical. This issue affects the function formAddMacfilterRule of the file /goform/setBlackRule. The manipulation of the argument deviceList leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-262223. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "Eine Schwachstelle wurde in Tenda A301 15.13.08.12_multi_TDE01 ausgemacht. Sie wurde als kritisch eingestuft. Betroffen davon ist die Funktion formAddMacfilterRule der Datei /goform/setBlackRule. Mittels dem Manipulieren des Arguments deviceList mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 9,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-27T20:00:07.538Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-262223 | Tenda A301 setBlackRule formAddMacfilterRule stack-based overflow",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.262223"
        },
        {
          "name": "VDB-262223 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.262223"
        },
        {
          "name": "Submit #320672 | Tenda A301 v2.0 US_A301V2.0RTL_V15.13.08.12_multi_TDE01 Buffer Overflow",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.320672"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/L1ziang/Vulnerability/blob/main/formAddMacfilterRule.md"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-04-27T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2024-04-27T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-04-27T07:54:19.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Tenda A301 setBlackRule formAddMacfilterRule stack-based overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2024-4291",
    "datePublished": "2024-04-27T20:00:07.538Z",
    "dateReserved": "2024-04-27T05:49:08.167Z",
    "dateUpdated": "2025-08-27T21:26:06.856Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.