CVE-2023-38933

Tenda AC6 V2.0 V15.03.06.23, AC7 V1.0 V15.03.06.44, F1203 V2.0.1.6, AC5 V1.0 V15.03.06.28, FH1203 V2.0.1.6 and AC9 V3.0 V15.03.06.42_multi, and FH1205 V2.0.0.7(775) were discovered to contain a stack overflow via the deviceId parameter in the formSetClientState function.

Published: Aug 7, 2023
Updated: Aug 11, 2023
CVE: CVE-2023-38933
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
tenda / ac10_firmware	15.03.06.23	15.03.06.23.x
tenda / ac1206_firmware	15.03.06.23	15.03.06.23.x
tenda / ac6_firmware	15.03.06.23	15.03.06.23.x
tenda / ac7_firmware	15.03.06.44	15.03.06.44.x
tenda / f1203_firmware	2.0.1.6	2.0.1.6.x
tenda / ac5_firmware	15.03.06.28	15.03.06.28.x
tenda / fh1203_firmware	2.0.1.6	2.0.1.6.x
tenda / fh1205_firmware	2.0.0.7(775)	2.0.0.7(775).x
tenda / ac9_firmware	15.03.06.42_multi	15.03.06.42_multi.x

https://github.com/FirmRec/IoT-Vulns/blob/main/tenda/formSetClientState/README.md

Vulnerability Database

290,020

CVE-2023-38933