Tenda W30E Command Injection Vulnerability in USB Partition Management

A command injection vulnerability has been identified in the Tenda W30E V2.0 router, specifically in version V16.01.0.21. The issue arises in the 'formSetUSBPartitionUmount' function, where the 'usbPartitionName' parameter can be manipulated to execute arbitrary commands. This vulnerability is triggered by sending a crafted request that exploits the parameter, allowing attackers to execute commands on the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/module' endpoint with a crafted JSON payload. The 'usbPartitionName' parameter should be included in the payload, with a value that contains the desired command. Once the request is processed, the executed command's output can be verified by checking the '/webroot_ro/index.html' file, which will reflect the injected command's result.