A3002ru Firmware@1.0.8 Security Vulnerabilities and Issues — A3002ru Firmware@1.0.8 CVE List

Lucene search

TotolinkA3002ru Firmware1.0.8

12 matches found

CVE•added 2018/11/26 11:29 p.m.•46 views

CVE-2018-13315

Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request.

9.8CVSS9.5AI score0.00965EPSS

CVE•added 2020/02/24 7:15 p.m.•43 views

CVE-2018-13313

In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user knows their current password before allowing them to change their password. However, this JavaScript c...

6.5CVSS6.5AI score0.00419EPSS

CVE•added 2018/11/27 9:0 p.m.•42 views

CVE-2018-13307

System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Certain payloads cause the device to become permanently inoperable.

10CVSS9.8AI score0.15297EPSS

CVE•added 2018/11/26 11:29 p.m.•40 views

CVE-2018-13308

Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "User phrases button" field.

6.1CVSS6.4AI score0.00212EPSS

CVE•added 2018/11/26 11:29 p.m.•36 views

CVE-2018-13310

Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username.

6.1CVSS6.4AI score0.00212EPSS

CVE•added 2018/11/26 11:29 p.m.•35 views

CVE-2018-13312

Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field.

6.1CVSS6.4AI score0.00212EPSS

CVE•added 2018/11/26 11:29 p.m.•32 views

CVE-2018-13309

Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password.

6.1CVSS6.4AI score0.00212EPSS

CVE•added 2018/11/27 9:0 p.m.•32 views

CVE-2018-13316

System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter.

10CVSS9.8AI score0.15297EPSS

CVE•added 2018/11/26 11:29 p.m.•31 views

CVE-2018-13311

System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter.

10CVSS9.8AI score0.03948EPSS

CVE•added 2018/11/26 11:29 p.m.•31 views

CVE-2018-13317

Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to obtain the plaintext password for the admin user by making a GET request for password.htm.

6.1CVSS6.2AI score0.00212EPSS

CVE•added 2018/11/27 9:0 p.m.•30 views

CVE-2018-13314

System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter.

10CVSS9.8AI score0.15297EPSS

CVE•added 2018/11/27 9:0 p.m.•28 views

CVE-2018-13306

System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter.

10CVSS9.8AI score0.15297EPSS