Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Totolink Subscribe
Filtered by product A3002ru

CVSS v3 Filter

ALL
NONE (0.0) LOW (0.1 - 3.9) MEDIUM (4.0 - 6.9) HIGH (7.0 - 8.9) CRITICAL (9.0 - 10.0)

Search

Total 7 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-19825 1 Totolink 16 A3002ru, A3002ru Firmware, A702r and 13 more 2020-02-05 7.5 HIGH 9.8 CRITICAL
On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via an {"topicurl":"setting/getSanvas"} POST to the boafrm/formLogin URI, leading to a CAPTCHA bypass. (Also, the CAPTCHA text is not needed once the attacker has determined valid credentials. The attacker can perform router actions via HTTP requests with Basic Authentication.) This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.
CVE-2018-13307 1 Totolink 2 A3002ru, A3002ru Firmware 2019-10-03 10.0 HIGH 9.8 CRITICAL
System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable.
CVE-2018-13311 1 Totolink 2 A3002ru, A3002ru Firmware 2019-10-03 10.0 HIGH 9.8 CRITICAL
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter.
CVE-2018-13306 1 Totolink 2 A3002ru, A3002ru Firmware 2019-10-03 10.0 HIGH 9.8 CRITICAL
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter.
CVE-2018-13316 1 Totolink 2 A3002ru, A3002ru Firmware 2019-10-03 10.0 HIGH 9.8 CRITICAL
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter.
CVE-2018-13314 1 Totolink 2 A3002ru, A3002ru Firmware 2019-10-03 10.0 HIGH 9.8 CRITICAL
System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter.
CVE-2018-13315 1 Totolink 2 A3002ru, A3002ru Firmware 2018-12-20 5.0 MEDIUM 9.8 CRITICAL
Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request.