Filtered by vendor Totolink
Subscribe
Search
Total
181 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29393 | 1 Totolink | 2 N600r, N600r Firmware | 2022-05-16 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the comment parameter in the function FUN_004192cc. | |||||
| CVE-2022-29394 | 1 Totolink | 2 N600r, N600r Firmware | 2022-05-16 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the macAddress parameter in the function FUN_0041b448. | |||||
| CVE-2022-29396 | 1 Totolink | 2 N600r, N600r Firmware | 2022-05-16 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the comment parameter in the function FUN_00418f10. | |||||
| CVE-2022-29397 | 1 Totolink | 2 N600r, N600r Firmware | 2022-05-16 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the comment parameter in the function FUN_004196c8. | |||||
| CVE-2022-29399 | 1 Totolink | 2 N600r, N600r Firmware | 2022-05-16 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the url parameter in the function FUN_00415bf0. | |||||
| CVE-2022-29398 | 1 Totolink | 2 N600r, N600r Firmware | 2022-05-16 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the File parameter in the function FUN_0041309c. | |||||
| CVE-2022-25137 | 1 Totolink | 4 T10, T10 Firmware, T6 and 1 more | 2022-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in the function recvSlaveUpgstatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet. | |||||
| CVE-2022-25136 | 1 Totolink | 4 T10, T10 Firmware, T6 and 1 more | 2022-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in the function meshSlaveUpdate of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet. | |||||
| CVE-2022-25135 | 1 Totolink | 2 T6, T6 Firmware | 2022-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in the function recv_mesh_info_sync of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet. | |||||
| CVE-2022-25134 | 1 Totolink | 2 T6, T6 Firmware | 2022-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in the function setUpgradeFW of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet. | |||||
| CVE-2022-25133 | 1 Totolink | 2 T6, T6 Firmware | 2022-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in the function isAssocPriDevice of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet. | |||||
| CVE-2022-25132 | 1 Totolink | 4 T10, T10 Firmware, T6 and 1 more | 2022-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in the function meshSlaveDlfw of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet. | |||||
| CVE-2022-25131 | 1 Totolink | 4 T10, T10 Firmware, T6 and 1 more | 2022-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in the function recvSlaveCloudCheckStatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet. | |||||
| CVE-2022-25130 | 1 Totolink | 4 T10, T10 Firmware, T6 and 1 more | 2022-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in the function updateWifiInfo of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet. | |||||
| CVE-2021-44247 | 1 Totolink | 6 A3100r, A3100r Firmware, A720r and 3 more | 2022-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain command injection vulnerability in the function setNoticeCfg. This vulnerability allows attackers to execute arbitrary commands via the IpFrom parameter. | |||||
| CVE-2021-45733 | 1 Totolink | 2 X5000r, X5000r Firmware | 2022-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function NTPSyncWithHost. This vulnerability allows attackers to execute arbitrary commands via the parameter host_time. | |||||
| CVE-2021-45742 | 1 Totolink | 2 A720r, A720r Firmware | 2022-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter. | |||||
| CVE-2021-45738 | 1 Totolink | 2 X5000r, X5000r Firmware | 2022-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function UploadFirmwareFile. This vulnerability allows attackers to execute arbitrary commands via the parameter FileName. | |||||
| CVE-2021-43711 | 1 Totolink | 2 Ex200, Ex200 Firmware | 2022-01-12 | 7.5 HIGH | 9.8 CRITICAL |
| The downloadFlile.cgi binary file in TOTOLINK EX200 V4.0.3c.7646_B20201211 has a command injection vulnerability when receiving GET parameters. The parameter name can be constructed for unauthenticated command execution. | |||||
| CVE-2021-35327 | 1 Totolink | 2 A720r, A720r Firmware | 2021-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to start the Telnet service, then login with the default credentials via a crafted POST request. | |||||
| CVE-2021-27710 | 1 Totolink | 4 A720r, A720r Firmware, X5000r and 1 more | 2021-04-21 | 10.0 HIGH | 9.8 CRITICAL |
| Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "ip" parameter is directly passed to the attacker, allowing them to control the "ip" field to attack the OS. | |||||
| CVE-2021-27708 | 1 Totolink | 4 A720r, A720r Firmware, X5000r and 1 more | 2021-04-21 | 10.0 HIGH | 9.8 CRITICAL |
| Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "command" parameter is directly passed to the attacker, allowing them to control the "command" field to attack the OS. | |||||
| CVE-2015-9551 | 1 Totolink | 16 A850r-v1, A850r-v1 Firmware, F1-v2 and 13 more | 2020-12-04 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. There is Remote Code Execution in the management interface via the formSysCmd sysCmd parameter. | |||||
| CVE-2019-19825 | 1 Totolink | 16 A3002ru, A3002ru Firmware, A702r and 13 more | 2020-02-05 | 7.5 HIGH | 9.8 CRITICAL |
| On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. (Also, the CAPTCHA text is not needed once the attacker has determined valid credentials. The attacker can perform router actions via HTTP requests with Basic Authentication.) This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0. | |||||
| CVE-2018-13307 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable. | |||||
| CVE-2018-13306 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter. | |||||
| CVE-2018-13311 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter. | |||||
| CVE-2018-13314 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter. | |||||
| CVE-2018-13316 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter. | |||||
| CVE-2018-13315 | 1 Totolink | 2 A3002ru, A3002ru Firmware | 2018-12-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request. | |||||
| CVE-2017-1000020 | 3 Ecos, Greatek, Totolink | 3 Embedded Web Servers, Soho, Soho | 2017-08-15 | 10.0 HIGH | 9.8 CRITICAL |
| SYN Flood or FIN Flood attack in ECos 1 and other versions embedded devices results in web Authentication Bypass. "eCos Embedded Web Servers used by Multiple Routers and Home devices, while sending SYN Flood or FIN Flood packets fails to validate and handle the packets and does not ask for any sign of authentication resulting in Authentication Bypass. An attacker can take complete advantage of this bug and take over the device remotely or locally. The bug has been successfully tested and reproduced in some versions of SOHO Routers manufactured by TOTOLINK, GREATEK and others." | |||||